diff --git a/packages/windows/_dev/build/build.yml b/packages/windows/_dev/build/build.yml index 08d85edcf9a..809e76063e9 100644 --- a/packages/windows/_dev/build/build.yml +++ b/packages/windows/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@1.12 + reference: git@8.0 diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index 3445847cc5d..589a24da554 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.7.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2515 # newer versions go on top - version: "1.6.0" changes: diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json index 1f6958b7011..c7eb3a05c92 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json @@ -22,7 +22,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "verbose" @@ -37,7 +37,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:49:18.310984200Z", + "ingested": "2022-01-12T05:16:15.030902415Z", "code": "4105", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -102,7 +102,7 @@ ], "@timestamp": "2020-05-15T08:11:47.897Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -148,7 +148,7 @@ }, "event": { "sequence": 34, - "ingested": "2021-12-09T13:49:18.310994Z", + "ingested": "2022-01-12T05:16:15.030904657Z", "code": "4103", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -184,7 +184,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "verbose" @@ -199,7 +199,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:49:18.311000300Z", + "ingested": "2022-01-12T05:16:15.030905579Z", "code": "4106", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -236,7 +236,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "verbose" @@ -253,7 +253,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:49:18.311036400Z", + "ingested": "2022-01-12T05:16:15.030906349Z", "code": "4104", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.389266200Z'/\u003e\u003cEventRecordID\u003e3580\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0001-18e0-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e.\\patata.ps1\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003e50d2dbda-7361-4926-a94d-d9eadfdb43fa\u003c/Data\u003e\u003cData Name='Path'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.393884800Z'/\u003e\u003cEventRecordID\u003e3582\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0000-79db-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003ef5521cbd-656e-4296-b74d-9ffb4eec23b0\u003c/Data\u003e\u003cData Name='Path'\u003eC:\\Users\\vagrant\\Desktop\\patata.ps1\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json index 16222c981bb..b532e648de2 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json @@ -22,7 +22,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "verbose" @@ -37,7 +37,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:49:18.946679500Z", + "ingested": "2022-01-12T05:16:17.039425715Z", "code": "4105", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -102,7 +102,7 @@ ], "@timestamp": "2020-05-15T08:11:47.897Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -148,7 +148,7 @@ }, "event": { "sequence": 34, - "ingested": "2021-12-09T13:49:18.946689400Z", + "ingested": "2022-01-12T05:16:17.039428693Z", "code": "4103", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -184,7 +184,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "verbose" @@ -199,7 +199,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:49:18.946695800Z", + "ingested": "2022-01-12T05:16:17.039429695Z", "code": "4106", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -236,7 +236,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "verbose" @@ -253,7 +253,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:49:18.946702100Z", + "ingested": "2022-01-12T05:16:17.039430473Z", "code": "4104", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.389266200Z'/\u003e\u003cEventRecordID\u003e3580\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0001-18e0-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e.\\patata.ps1\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003e50d2dbda-7361-4926-a94d-d9eadfdb43fa\u003c/Data\u003e\u003cData Name='Path'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.393884800Z'/\u003e\u003cEventRecordID\u003e3582\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0000-79db-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003ef5521cbd-656e-4296-b74d-9ffb4eec23b0\u003c/Data\u003e\u003cData Name='Path'\u003eC:\\Users\\vagrant\\Desktop\\patata.ps1\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json index ab2b941ceb7..8e8c6f12819 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json @@ -31,7 +31,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information", @@ -43,7 +43,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:19.558723400Z", + "ingested": "2022-01-12T05:16:18.700629099Z", "code": "1100", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json index 4379d1339aa..feaaf2a0289 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json @@ -41,7 +41,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -58,7 +58,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:19.713823200Z", + "ingested": "2022-01-12T05:16:18.932471733Z", "code": "1102", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-expected.json index 8ffc31b1602..1ada71dc9f2 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-expected.json @@ -31,7 +31,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "error", @@ -43,7 +43,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:19.942134900Z", + "ingested": "2022-01-12T05:16:19.597216295Z", "code": "1104", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-expected.json index c853233334b..b0f659d9607 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-expected.json @@ -36,7 +36,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information", @@ -48,7 +48,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:20.094475800Z", + "ingested": "2022-01-12T05:16:20.064677881Z", "code": "1105", "provider": "Microsoft-Windows-Eventlog", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json index 79c55bc7fa3..2d914d6d5e1 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json @@ -13,6 +13,7 @@ "pid": 764, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2020-07-28T13:22:18.799Z", "winlog": { "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "process": { @@ -54,26 +55,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.xml" - } - }, - "@timestamp": "2020-07-28T13:22:18.799Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "WIN-BVM4LI1L1Q6$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.xml" + } + }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:49:20.259672100Z", + "ingested": "2022-01-12T05:16:20.367757072Z", "code": "4670", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-expected.json index eca02db6f6b..b719d24ee0a 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-expected.json @@ -50,7 +50,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -67,7 +67,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:49:20.536429600Z", + "ingested": "2022-01-12T05:16:21.543640792Z", "code": "4706", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-expected.json index f736e4bffb1..6269d516ade 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-expected.json @@ -42,7 +42,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -59,7 +59,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:49:20.783827300Z", + "ingested": "2022-01-12T05:16:21.884763576Z", "code": "4707", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-expected.json index 06701098979..539c144622b 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-expected.json @@ -42,7 +42,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -59,7 +59,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:49:21.000818800Z", + "ingested": "2022-01-12T05:16:22.712097993Z", "code": "4713", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-expected.json index d7d461105a0..a247e38971d 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-expected.json @@ -50,7 +50,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -67,7 +67,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:49:21.215352400Z", + "ingested": "2022-01-12T05:16:23.022353581Z", "code": "4716", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json index 918efde2780..bc114bc054d 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json @@ -43,7 +43,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -60,7 +60,7 @@ "name": "WIN-BVM4LI1L1Q6" }, "event": { - "ingested": "2021-12-09T13:49:21.448485700Z", + "ingested": "2022-01-12T05:16:23.658042468Z", "code": "4717", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json index b06e2d07153..cf9672db2f0 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json @@ -43,7 +43,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -60,7 +60,7 @@ "name": "WIN-BVM4LI1L1Q6" }, "event": { - "ingested": "2021-12-09T13:49:21.686161200Z", + "ingested": "2022-01-12T05:16:24.157740310Z", "code": "4718", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-expected.json index 72aa79bbc99..088844a96f6 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-expected.json @@ -50,7 +50,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -67,7 +67,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:49:21.922092300Z", + "ingested": "2022-01-12T05:16:24.553365797Z", "code": "4719", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-expected.json index 643dd43d001..89be14586eb 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-expected.json @@ -51,7 +51,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -68,7 +68,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:22.158931800Z", + "ingested": "2022-01-12T05:16:25.252869848Z", "code": "4719", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-expected.json index 0411434ab67..34dab01edde 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-expected.json @@ -49,7 +49,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -66,7 +66,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:49:22.386517Z", + "ingested": "2022-01-12T05:16:42.216548813Z", "code": "4739", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json index c1c4261d6b5..0e94c22ab22 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json @@ -51,7 +51,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -68,7 +68,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:22.618861600Z", + "ingested": "2022-01-12T05:16:54.018008333Z", "code": "4743", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json index 3b3ab546d15..74df7d98791 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-18T16:26:46.874Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4744.xml" - } - }, - "@timestamp": "2019-12-18T16:26:46.874Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4744.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:22.888830Z", + "ingested": "2022-01-12T05:17:04.764816597Z", "code": "4744", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json index 8d7722f421a..e07bab56b94 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-18T16:29:05.017Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4745.xml" - } - }, - "@timestamp": "2019-12-18T16:29:05.017Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4745.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:23.142370200Z", + "ingested": "2022-01-12T05:17:15.674723767Z", "code": "4745", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json index d467909b836..29f0fdcb05a 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-18T16:31:01.611Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,15 +45,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4746.xml" - } - }, - "@timestamp": "2019-12-18T16:31:01.611Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -60,11 +54,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4746.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:23.385857700Z", + "ingested": "2022-01-12T05:17:28.666025185Z", "code": "4746", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json index a441421a6e5..372addb5a35 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-18T16:35:16.681Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,15 +45,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4747.xml" - } - }, - "@timestamp": "2019-12-18T16:35:16.681Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -60,11 +54,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4747.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:23.679961Z", + "ingested": "2022-01-12T05:17:49.621225037Z", "code": "4747", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json index 461e6aba397..d27b45a6c6b 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:01:45.982Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -42,26 +43,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4748.xml" - } - }, - "@timestamp": "2019-12-19T08:01:45.982Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4748.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:23.991318600Z", + "ingested": "2022-01-12T05:18:10.771544375Z", "code": "4748", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json index e3e8effd983..58cb1aa9953 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:03:42.723Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4749.xml" - } - }, - "@timestamp": "2019-12-19T08:03:42.723Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4749.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:24.244081200Z", + "ingested": "2022-01-12T05:18:23.465141248Z", "code": "4749", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json index b477cb2947e..002183a22b7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:10:57.473Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4750.xml" - } - }, - "@timestamp": "2019-12-19T08:10:57.473Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4750.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:24.483829100Z", + "ingested": "2022-01-12T05:18:39.374215274Z", "code": "4750", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json index ecb37b97843..5b03f05e120 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:20:29.088Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,15 +45,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4751.xml" - } - }, - "@timestamp": "2019-12-19T08:20:29.088Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -60,11 +54,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4751.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:24.727114100Z", + "ingested": "2022-01-12T05:18:50.415643906Z", "code": "4751", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json index 90de6a84a95..88004a766a3 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:21:23.644Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,15 +45,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4752.xml" - } - }, - "@timestamp": "2019-12-19T08:21:23.644Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -60,11 +54,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4752.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:25.031682700Z", + "ingested": "2022-01-12T05:19:01.048869382Z", "code": "4752", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json index b27ceb6bdd7..6afb498c0a7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:24:36.595Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -42,26 +43,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4753.xml" - } - }, - "@timestamp": "2019-12-19T08:24:36.595Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4753.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:25.348788400Z", + "ingested": "2022-01-12T05:19:02.395059046Z", "code": "4753", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json index 40bcc2ccb38..4080249f5b7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:26:26.143Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4759.xml" - } - }, - "@timestamp": "2019-12-19T08:26:26.143Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4759.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:25.584313500Z", + "ingested": "2022-01-12T05:19:03.340454926Z", "code": "4759", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json index bac0357a6d5..fe663b8eaa7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:28:21.030Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4760.xml" - } - }, - "@timestamp": "2019-12-19T08:28:21.030Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4760.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:25.827742800Z", + "ingested": "2022-01-12T05:19:04.515699675Z", "code": "4760", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json index 7621713a598..117ffbcbaf2 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:29:38.448Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,15 +45,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4761.xml" - } - }, - "@timestamp": "2019-12-19T08:29:38.448Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -60,11 +54,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4761.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:26.083510200Z", + "ingested": "2022-01-12T05:19:05.678972947Z", "code": "4761", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json index 4d76b9f7e09..dfcfe5e66a7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:33:25.967Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -44,15 +45,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4762.xml" - } - }, - "@timestamp": "2019-12-19T08:33:25.967Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -60,11 +54,17 @@ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4762.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:26.396143700Z", + "ingested": "2022-01-12T05:19:06.399342493Z", "code": "4762", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json index cb52d9e625c..f0e4bdd76b1 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-12-19T08:34:23.162Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -42,26 +43,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml" - } - }, - "@timestamp": "2019-12-19T08:34:23.162Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "at_adm" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:26.696546700Z", + "ingested": "2022-01-12T05:19:07.318158028Z", "code": "4763", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-expected.json index c6cdaa5b703..ead9a5be7a7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-expected.json @@ -47,7 +47,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -65,7 +65,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:49:26.934347800Z", + "ingested": "2022-01-12T05:19:07.752563370Z", "code": "4817", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-expected.json index 2ecf8543a3d..fbd859b1417 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-expected.json @@ -35,7 +35,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information", @@ -47,7 +47,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:49:27.170161Z", + "ingested": "2022-01-12T05:19:08.704383879Z", "code": "4902", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-expected.json index 17330065c39..a383a6d5be9 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-expected.json @@ -13,6 +13,7 @@ "pid": 3608, "executable": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe" }, + "@timestamp": "2020-08-19T07:56:52.019Z", "winlog": { "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "process": { @@ -46,26 +47,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.xml" - } - }, - "@timestamp": "2020-08-19T07:56:52.019Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "WIN-BVM4LI1L1Q6$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.xml" + } + }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:49:27.330318200Z", + "ingested": "2022-01-12T05:19:08.929321388Z", "code": "4904", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-expected.json index 15487ba6959..c458d6f04d9 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-expected.json @@ -13,6 +13,7 @@ "pid": 4964, "executable": "-" }, + "@timestamp": "2020-08-19T07:56:51.579Z", "winlog": { "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "process": { @@ -46,26 +47,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.xml" - } - }, - "@timestamp": "2020-08-19T07:56:51.579Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "WIN-BVM4LI1L1Q6$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.xml" + } + }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:49:27.587226700Z", + "ingested": "2022-01-12T05:19:09.798135637Z", "code": "4905", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-expected.json index b6f2b5af795..fb08b058776 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-expected.json @@ -34,7 +34,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information", @@ -46,7 +46,7 @@ "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:49:27.825407300Z", + "ingested": "2022-01-12T05:19:10.154458073Z", "code": "4906", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-expected.json index 4168d754b87..589ba2bc4b7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-expected.json @@ -13,6 +13,7 @@ "pid": 4300, "executable": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe" }, + "@timestamp": "2020-08-19T07:56:17.112Z", "winlog": { "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "process": { @@ -49,26 +50,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.xml" - } - }, - "@timestamp": "2020-08-19T07:56:17.112Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "WIN-BVM4LI1L1Q6$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.xml" + } + }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" }, "event": { - "ingested": "2021-12-09T13:49:27.985693600Z", + "ingested": "2022-01-12T05:19:10.406669356Z", "code": "4907", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json index c5598dcd88c..1f393d91913 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json @@ -13,6 +13,7 @@ "pid": 496, "executable": "C:\\Windows\\System32\\lsass.exe" }, + "@timestamp": "2020-04-06T06:39:04.549Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -48,26 +49,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.xml" - } - }, - "@timestamp": "2020-04-06T06:39:04.549Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "DC_TEST2K12$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:28.241198500Z", + "ingested": "2022-01-12T05:19:11.428690578Z", "code": "4673", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json index b642bbc77e9..02bfd298106 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2020-04-02T14:34:08.889Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,21 +45,20 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.xml" - } - }, - "@timestamp": "2020-04-02T14:34:08.889Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.xml" + } + }, "service": { "name": "winlogbeat", "type": "Win32 Own Process" @@ -67,7 +67,7 @@ "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:28.487503600Z", + "ingested": "2022-01-12T05:19:11.999016677Z", "code": "4697", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json index 12b89d56426..5ddf1e55991 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json @@ -60,7 +60,7 @@ }, "@timestamp": "2020-04-01T08:45:44.171Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -77,7 +77,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:28.747988200Z", + "ingested": "2022-01-12T05:19:12.631723738Z", "code": "4768", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json index ddb7c263c3c..919ef9bcd01 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json @@ -59,7 +59,7 @@ }, "@timestamp": "2020-04-01T08:45:44.171Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -76,7 +76,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:29.009644600Z", + "ingested": "2022-01-12T05:19:13.313531895Z", "code": "4769", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json index d7d7e222ed9..f9a5b28d1c9 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json @@ -54,7 +54,7 @@ }, "@timestamp": "2020-04-01T07:32:55.010Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -71,7 +71,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:29.273298400Z", + "ingested": "2022-01-12T05:19:14.199050989Z", "code": "4770", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json index 01fdc4730b2..70516597b25 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json @@ -56,7 +56,7 @@ }, "@timestamp": "2020-03-31T07:50:27.168Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -73,7 +73,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:29.523881300Z", + "ingested": "2022-01-12T05:19:14.929349183Z", "code": "4771", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json index c792754bfde..379e719cde1 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json @@ -42,7 +42,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -59,7 +59,7 @@ "name": "DC_TEST2k12.TEST.SAAS" }, "event": { - "ingested": "2021-12-09T13:49:29.762661300Z", + "ingested": "2022-01-12T05:19:15.381355247Z", "code": "4776", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json index 2902fa99439..3f1e1bb339b 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2020-04-05T16:33:32.388Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -40,19 +41,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.xml" - } - }, - "source": { - "ip": "10.100.150.9", - "domain": "EQP01777" - }, - "@timestamp": "2020-04-05T16:33:32.388Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -62,11 +52,21 @@ "10.100.150.9" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, + "source": { + "ip": "10.100.150.9", + "domain": "EQP01777" + }, "event": { - "ingested": "2021-12-09T13:49:29.967352100Z", + "ingested": "2022-01-12T05:19:15.988963760Z", "code": "4778", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json index 7017706a35b..6222d0365cd 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2020-04-03T10:18:01.882Z", "winlog": { "computer_name": "DC_TEST2k12.TEST.SAAS", "process": { @@ -40,19 +41,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.xml" - } - }, - "source": { - "ip": "10.100.150.17", - "domain": "EQP01777" - }, - "@timestamp": "2020-04-03T10:18:01.882Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -62,11 +52,21 @@ "10.100.150.17" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.xml" + } + }, "host": { "name": "DC_TEST2k12.TEST.SAAS" }, + "source": { + "ip": "10.100.150.17", + "domain": "EQP01777" + }, "event": { - "ingested": "2021-12-09T13:49:30.189615100Z", + "ingested": "2022-01-12T05:19:16.436236473Z", "code": "4779", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json index 67bd3fc0fc3..fa1cda25ca5 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json @@ -13,6 +13,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:10:39.786Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -59,15 +60,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:39.786Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -75,11 +69,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420386900Z", + "ingested": "2022-01-12T05:19:17.318727385Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -111,6 +111,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:10:40.255Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -157,15 +158,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:40.255Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -173,11 +167,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420391200Z", + "ingested": "2022-01-12T05:19:17.318730007Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -266,7 +266,7 @@ }, "@timestamp": "2019-03-29T21:10:40.380Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -281,7 +281,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420397800Z", + "ingested": "2022-01-12T05:19:17.318730454Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -313,6 +313,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:10:40.505Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -359,15 +360,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:40.505Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -375,11 +369,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420402600Z", + "ingested": "2022-01-12T05:19:17.318730884Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -411,6 +411,7 @@ "pid": 0, "executable": "-" }, + "@timestamp": "2019-03-29T21:10:40.630Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -457,26 +458,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:40.630Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "ANONYMOUS LOGON" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420406900Z", + "ingested": "2022-01-12T05:19:17.318731315Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -508,6 +508,7 @@ "pid": 0, "executable": "-" }, + "@timestamp": "2019-03-29T21:10:53.661Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -554,26 +555,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:53.661Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420412Z", + "ingested": "2022-01-12T05:19:17.318731695Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -605,6 +605,7 @@ "pid": 0, "executable": "-" }, + "@timestamp": "2019-03-29T21:10:54.661Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -651,26 +652,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:54.661Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420418Z", + "ingested": "2022-01-12T05:19:17.318732157Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -702,6 +702,7 @@ "pid": 0, "executable": "-" }, + "@timestamp": "2019-03-29T21:10:55.458Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -748,26 +749,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:10:55.458Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420423200Z", + "ingested": "2022-01-12T05:19:17.318732667Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -856,7 +856,7 @@ }, "@timestamp": "2019-03-29T21:13:17.302Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -867,7 +867,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420427200Z", + "ingested": "2022-01-12T05:19:17.318733045Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -899,6 +899,7 @@ "pid": 2812, "executable": "C:\\Windows\\System32\\winlogon.exe" }, + "@timestamp": "2019-03-29T21:13:17.521Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -945,15 +946,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:13:17.521Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -961,11 +955,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420431900Z", + "ingested": "2022-01-12T05:19:17.318733435Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1054,7 +1054,7 @@ }, "@timestamp": "2019-03-29T21:13:17.614Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -1069,7 +1069,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420436200Z", + "ingested": "2022-01-12T05:19:17.318733854Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1101,6 +1101,7 @@ "pid": 2188, "executable": "C:\\Windows\\System32\\winlogon.exe" }, + "@timestamp": "2019-03-29T21:13:18.786Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -1147,15 +1148,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:13:18.786Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -1163,11 +1157,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420441700Z", + "ingested": "2022-01-12T05:19:17.318734383Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1199,6 +1199,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:20:48.740Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -1245,15 +1246,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:20:48.740Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -1261,11 +1255,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420446300Z", + "ingested": "2022-01-12T05:19:17.318734779Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1297,6 +1297,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:20:48.740Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -1343,15 +1344,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:20:48.740Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -1359,11 +1353,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420450800Z", + "ingested": "2022-01-12T05:19:17.318735142Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1395,6 +1395,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:20:50.584Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -1441,15 +1442,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:20:50.584Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -1457,11 +1451,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420454400Z", + "ingested": "2022-01-12T05:19:17.318735500Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1493,6 +1493,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:23:42.520Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -1539,15 +1540,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:23:42.520Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -1555,11 +1549,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420459800Z", + "ingested": "2022-01-12T05:19:17.318735861Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1591,6 +1591,7 @@ "pid": 508, "executable": "C:\\Windows\\System32\\services.exe" }, + "@timestamp": "2019-03-29T21:26:24.176Z", "winlog": { "computer_name": "vagrant-2012-r2", "process": { @@ -1637,15 +1638,8 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "@timestamp": "2019-03-29T21:26:24.176Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -1653,11 +1647,17 @@ "VAGRANT-2012-R2$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + } + }, "host": { "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420465300Z", + "ingested": "2022-01-12T05:19:17.318736331Z", "code": "4624", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -1750,7 +1750,7 @@ }, "@timestamp": "2019-03-29T21:45:35.177Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -1764,7 +1764,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:30.420469500Z", + "ingested": "2022-01-12T05:19:17.318736690Z", "code": "4625", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json index 822e84517ed..0effaa6d829 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json @@ -44,7 +44,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:35.154219200Z", + "ingested": "2022-01-12T05:19:29.009789227Z", "code": "4722", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -126,7 +126,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -144,7 +144,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:35.154227600Z", + "ingested": "2022-01-12T05:19:29.009791859Z", "code": "4722", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json index 7e108203131..7d97dce0d84 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json @@ -45,7 +45,7 @@ "outcome": "failure" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:35.537944700Z", + "ingested": "2022-01-12T05:19:30.186175872Z", "code": "4723", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -127,7 +127,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -144,7 +144,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:35.537953700Z", + "ingested": "2022-01-12T05:19:30.186178090Z", "code": "4723", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json index 942bd24df8b..ce29b554291 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json @@ -44,7 +44,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:35.985269800Z", + "ingested": "2022-01-12T05:19:30.934340941Z", "code": "4724", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -126,7 +126,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -144,7 +144,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:35.985278Z", + "ingested": "2022-01-12T05:19:30.934343538Z", "code": "4724", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json index 2e4881719b2..36e582090b2 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json @@ -44,7 +44,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:36.413361600Z", + "ingested": "2022-01-12T05:19:32.296236985Z", "code": "4725", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -126,7 +126,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -144,7 +144,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:36.413370100Z", + "ingested": "2022-01-12T05:19:32.296239113Z", "code": "4725", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json index be08e2e8a84..056f9cd5bd7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json @@ -45,7 +45,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -63,7 +63,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:36.838300Z", + "ingested": "2022-01-12T05:19:33.381070206Z", "code": "4726", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -128,7 +128,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -146,7 +146,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:36.838309800Z", + "ingested": "2022-01-12T05:19:33.381072401Z", "code": "4726", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json index cdc51d42674..e323b8de05b 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:26:12.495Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.xml" - } - }, - "@timestamp": "2019-10-22T11:26:12.495Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "WIN-41OB2LO92CR$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:37.304052Z", + "ingested": "2022-01-12T05:19:34.467518Z", "code": "4727", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json index 60d2c7f6d1b..ca6a7270c2f 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:33:26.861Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.xml" - } - }, - "@timestamp": "2019-10-22T11:33:26.861Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:37.546890900Z", + "ingested": "2022-01-12T05:19:34.937487344Z", "code": "4728", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json index ec94b2603cb..afbd4c1efbb 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:33:45.543Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.xml" - } - }, - "@timestamp": "2019-10-22T11:33:45.543Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:37.850981400Z", + "ingested": "2022-01-12T05:19:35.848607166Z", "code": "4729", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json index 1ae7b06e189..07bcbfcd20f 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:34:01.610Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -42,26 +43,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.xml" - } - }, - "@timestamp": "2019-10-22T11:34:01.610Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:38.159840600Z", + "ingested": "2022-01-12T05:19:36.719167607Z", "code": "4730", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json index c1ccdff1d35..50f73a257bb 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:29:49.358Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.xml" - } - }, - "@timestamp": "2019-10-22T11:29:49.358Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:38.413708300Z", + "ingested": "2022-01-12T05:19:37.258319437Z", "code": "4731", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json index 5557cd7ceea..cc435db3d3e 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:31:58.039Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.xml" - } - }, - "@timestamp": "2019-10-22T11:31:58.039Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:38.657225700Z", + "ingested": "2022-01-12T05:19:38.158429304Z", "code": "4732", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json index a8df2107b98..e07c15e7ab8 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:32:14.894Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.xml" - } - }, - "@timestamp": "2019-10-22T11:32:14.894Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:38.961223300Z", + "ingested": "2022-01-12T05:19:38.638958901Z", "code": "4733", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json index 11fc4c38c09..fb7f3b9d462 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:32:35.127Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -42,26 +43,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.xml" - } - }, - "@timestamp": "2019-10-22T11:32:35.127Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:39.271630500Z", + "ingested": "2022-01-12T05:19:39.087477958Z", "code": "4734", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json index a746ab6c0b4..0610cdb7791 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:32:30.425Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.xml" - } - }, - "@timestamp": "2019-10-22T11:32:30.425Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:39.528673800Z", + "ingested": "2022-01-12T05:19:39.883441933Z", "code": "4735", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json index c9323846631..f6599ef4e78 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:33:57.271Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.xml" - } - }, - "@timestamp": "2019-10-22T11:33:57.271Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:39.770336100Z", + "ingested": "2022-01-12T05:19:40.337443959Z", "code": "4737", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json index fd844d3adee..82d0e94abb5 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json @@ -70,7 +70,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -88,7 +88,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:40.027237800Z", + "ingested": "2022-01-12T05:19:41.231495195Z", "code": "4738", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json index d8ef5861ef4..29986f38646 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json @@ -44,7 +44,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:40.323281100Z", + "ingested": "2022-01-12T05:19:41.988303800Z", "code": "4740", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json index b06b22e2730..2db2ff4db43 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:34:33.783Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.xml" - } - }, - "@timestamp": "2019-10-22T11:34:33.783Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:40.567987900Z", + "ingested": "2022-01-12T05:19:42.720308869Z", "code": "4754", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json index 2d88445d368..416c3c5bda4 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:35:09.070Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.xml" - } - }, - "@timestamp": "2019-10-22T11:35:09.070Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:40.817070400Z", + "ingested": "2022-01-12T05:19:43.274308805Z", "code": "4755", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json index 640103b5409..605c4e7af6e 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:34:58.413Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.xml" - } - }, - "@timestamp": "2019-10-22T11:34:58.413Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:41.069731Z", + "ingested": "2022-01-12T05:19:44.057785219Z", "code": "4756", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json index 656d9ca9871..0222700438d 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:35:09.070Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.xml" - } - }, - "@timestamp": "2019-10-22T11:35:09.070Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:41.372534300Z", + "ingested": "2022-01-12T05:19:44.628543976Z", "code": "4757", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json index df35aa344d8..02f3a17079e 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:35:13.550Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -42,26 +43,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.xml" - } - }, - "@timestamp": "2019-10-22T11:35:13.550Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:41.673374400Z", + "ingested": "2022-01-12T05:19:45.497532477Z", "code": "4758", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json index 0fda5525911..13798d78e77 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-22T11:33:57.271Z", "winlog": { "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "process": { @@ -43,26 +44,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.xml" - } - }, - "@timestamp": "2019-10-22T11:33:57.271Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "Administrator" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" }, "event": { - "ingested": "2021-12-09T13:49:41.921403400Z", + "ingested": "2022-01-12T05:19:45.882905075Z", "code": "4764", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json index d85f32ed13b..3cecac7093e 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json @@ -44,7 +44,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -62,7 +62,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:42.169954Z", + "ingested": "2022-01-12T05:19:46.584723694Z", "code": "4767", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json index fd1af6c3fee..028da9e8b5d 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json @@ -46,7 +46,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -65,7 +65,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:42.400276500Z", + "ingested": "2022-01-12T05:19:47.094000995Z", "code": "4781", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -131,7 +131,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -150,7 +150,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:42.400285800Z", + "ingested": "2022-01-12T05:19:47.094003081Z", "code": "4781", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json index b99ada28223..9bfb0c90fa8 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json @@ -46,7 +46,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -64,7 +64,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:42.839726300Z", + "ingested": "2022-01-12T05:19:48.424012427Z", "code": "4798", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json index fe8937f10c7..164e7c72351 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json @@ -8,6 +8,7 @@ "type": "filebeat", "version": "8.0.0" }, + "@timestamp": "2019-10-08T10:20:44.472Z", "winlog": { "computer_name": "WIN-41OB2LO92CR", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.xml" - } - }, - "@timestamp": "2019-10-08T10:20:44.472Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "WIN-41OB2LO92CR$" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.xml" + } + }, "host": { "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:43.082123200Z", + "ingested": "2022-01-12T05:19:48.855694045Z", "code": "4799", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json index 78ef3144b4a..df99a4acbe1 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json @@ -42,7 +42,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -59,7 +59,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:43.331307500Z", + "ingested": "2022-01-12T05:19:49.202541623Z", "code": "4634", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -120,7 +120,7 @@ "outcome": "success" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -137,7 +137,7 @@ "name": "WIN-41OB2LO92CR" }, "event": { - "ingested": "2021-12-09T13:49:43.331316200Z", + "ingested": "2022-01-12T05:19:49.202543790Z", "code": "4634", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json index 1797de90fad..242a86f3ce8 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json @@ -23,6 +23,7 @@ "executable": "C:\\Windows\\System32\\wevtutil.exe", "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security" }, + "@timestamp": "2019-11-14T17:10:15.151Z", "winlog": { "computer_name": "vagrant", "process": { @@ -62,26 +63,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.xml" - } - }, - "@timestamp": "2019-11-14T17:10:15.151Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.xml" + } + }, "host": { "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:49:43.741075500Z", + "ingested": "2022-01-12T05:19:50.337859764Z", "code": "4688", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json index 1eee58e1c15..861d5830caa 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json @@ -13,6 +13,7 @@ "pid": 5412, "executable": "C:\\Windows\\System32\\wevtutil.exe" }, + "@timestamp": "2019-11-14T21:26:49.496Z", "winlog": { "computer_name": "vagrant", "process": { @@ -44,26 +45,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" - } - }, - "@timestamp": "2019-11-14T21:26:49.496Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + } + }, "host": { "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:49:44.040667200Z", + "ingested": "2022-01-12T05:19:51.240508600Z", "code": "4689", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -95,6 +95,7 @@ "pid": 3988, "executable": "C:\\Windows\\System32\\taskhostw.exe" }, + "@timestamp": "2019-11-14T21:27:46.960Z", "winlog": { "computer_name": "vagrant", "process": { @@ -126,26 +127,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" - } - }, - "@timestamp": "2019-11-14T21:27:46.960Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + } + }, "host": { "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:49:44.040672Z", + "ingested": "2022-01-12T05:19:51.240510778Z", "code": "4689", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", @@ -177,6 +177,7 @@ "pid": 2760, "executable": "C:\\Windows\\System32\\wevtutil.exe" }, + "@timestamp": "2019-11-14T21:28:18.460Z", "winlog": { "computer_name": "vagrant", "process": { @@ -208,26 +209,25 @@ "provider_name": "Microsoft-Windows-Security-Auditing", "outcome": "success" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" - } - }, - "@timestamp": "2019-11-14T21:28:18.460Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ "vagrant" ] }, + "log": { + "level": "information", + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + } + }, "host": { "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:49:44.040676600Z", + "ingested": "2022-01-12T05:19:51.240511243Z", "code": "4689", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json index 5ecb2c47469..9673dc30502 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json @@ -85,7 +85,7 @@ }, "@timestamp": "2021-09-14T09:01:34.006Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -106,7 +106,7 @@ "name": "Win2018Eval" }, "event": { - "ingested": "2021-12-09T13:49:44.739079600Z", + "ingested": "2022-01-12T05:19:53.803627077Z", "code": "22", "provider": "Microsoft-Windows-Sysmon", "created": "2021-09-14T09:20:46.257Z", @@ -189,7 +189,7 @@ }, "@timestamp": "2019-07-18T03:34:01.239Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -202,7 +202,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739088800Z", + "ingested": "2022-01-12T05:19:53.803629638Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -285,7 +285,7 @@ }, "@timestamp": "2019-07-18T03:34:01.261Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -298,7 +298,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739094800Z", + "ingested": "2022-01-12T05:19:53.803630083Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -355,9 +355,6 @@ "is_executable": true } }, - "log": { - "level": "information" - }, "@timestamp": "2020-05-07T08:14:44.489Z", "file": { "name": "test.test.exe", @@ -366,7 +363,7 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -377,8 +374,11 @@ "d90d8c7812aec8da0fa173afa1293ab2" ] }, + "log": { + "level": "information" + }, "event": { - "ingested": "2021-12-09T13:49:44.739099600Z", + "ingested": "2022-01-12T05:19:53.803630470Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T08:14:44.489978500Z'/\u003e\u003cEventRecordID\u003e612\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 08:14:44.489\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-c36f-5eb3-2c07-290000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2184\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2\u003c/Data\u003e\u003cData Name='IsExecutable'\u003etrue\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -462,7 +462,7 @@ }, "@timestamp": "2019-07-18T03:34:01.449Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -474,7 +474,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739104300Z", + "ingested": "2022-01-12T05:19:53.803630782Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -562,7 +562,7 @@ }, "@timestamp": "2019-07-18T03:34:01.457Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -575,7 +575,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739108200Z", + "ingested": "2022-01-12T05:19:53.803631106Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -637,13 +637,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739111600Z", + "ingested": "2022-01-12T05:19:53.803631446Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:40.599567200Z'/\u003e\u003cEventRecordID\u003e2682\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:40.589\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1\u003c/Data\u003e\u003cData Name='Details'\u003eDWORD (0x00000004)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -696,9 +696,6 @@ "is_executable": false } }, - "log": { - "level": "information" - }, "@timestamp": "2020-05-07T07:27:18.722Z", "file": { "name": "lastalive0.dat", @@ -707,7 +704,7 @@ "directory": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -717,8 +714,11 @@ "115106f5b338c87ae6836d50dd890de3da296367" ] }, + "log": { + "level": "information" + }, "event": { - "ingested": "2021-12-09T13:49:44.739115900Z", + "ingested": "2022-01-12T05:19:53.803631751Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T07:27:18.722136100Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 07:27:18.722\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-b2b6-5eb3-18ab-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e776\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=115106F5B338C87AE6836D50DD890DE3DA296367\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -801,7 +801,7 @@ }, "@timestamp": "2019-07-18T03:34:01.494Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -814,7 +814,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739120700Z", + "ingested": "2022-01-12T05:19:53.803632084Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -903,7 +903,7 @@ }, "@timestamp": "2019-07-18T03:34:01.810Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -914,7 +914,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739125300Z", + "ingested": "2022-01-12T05:19:53.803632408Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -993,7 +993,7 @@ }, "@timestamp": "2019-07-18T03:34:01.894Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1005,7 +1005,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739129700Z", + "ingested": "2022-01-12T05:19:53.803632730Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1093,7 +1093,7 @@ }, "@timestamp": "2019-07-18T03:34:01.948Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1106,7 +1106,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739134Z", + "ingested": "2022-01-12T05:19:53.803633197Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1181,7 +1181,7 @@ }, "@timestamp": "2019-07-18T03:34:02.085Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1192,7 +1192,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739138600Z", + "ingested": "2022-01-12T05:19:53.803633557Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1283,7 +1283,7 @@ }, "@timestamp": "2019-07-18T03:34:02.174Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1298,7 +1298,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739142200Z", + "ingested": "2022-01-12T05:19:53.803633885Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1421,7 +1421,7 @@ }, "@timestamp": "2019-07-18T03:34:02.274Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1441,7 +1441,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739147Z", + "ingested": "2022-01-12T05:19:53.803634207Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1520,7 +1520,7 @@ }, "@timestamp": "2019-07-18T03:34:02.291Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1532,7 +1532,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739151900Z", + "ingested": "2022-01-12T05:19:53.803634527Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1615,7 +1615,7 @@ }, "@timestamp": "2019-07-18T03:34:02.413Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1628,7 +1628,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739157800Z", + "ingested": "2022-01-12T05:19:53.803635082Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1716,7 +1716,7 @@ }, "@timestamp": "2019-07-18T03:34:02.424Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1729,7 +1729,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739164Z", + "ingested": "2022-01-12T05:19:53.803635566Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1804,7 +1804,7 @@ }, "@timestamp": "2019-07-18T03:34:02.427Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1815,7 +1815,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739168400Z", + "ingested": "2022-01-12T05:19:53.803635951Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1904,7 +1904,7 @@ }, "@timestamp": "2019-07-18T03:34:02.469Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1916,7 +1916,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739172600Z", + "ingested": "2022-01-12T05:19:53.803636815Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1972,13 +1972,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739177500Z", + "ingested": "2022-01-12T05:19:53.803637184Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.723248500Z'/\u003e\u003cEventRecordID\u003e2686\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2060,7 +2060,7 @@ }, "@timestamp": "2019-07-18T03:34:02.485Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2073,7 +2073,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739183100Z", + "ingested": "2022-01-12T05:19:53.803637713Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2156,7 +2156,7 @@ }, "@timestamp": "2019-07-18T03:34:02.500Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2169,7 +2169,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739187100Z", + "ingested": "2022-01-12T05:19:53.803638142Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2231,13 +2231,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739190900Z", + "ingested": "2022-01-12T05:19:53.803638702Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.726009900Z'/\u003e\u003cEventRecordID\u003e2687\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2\u003c/Data\u003e\u003cData Name='Details'\u003eQWORD (0x00000000-0x00000005)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2292,13 +2292,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739194700Z", + "ingested": "2022-01-12T05:19:53.803639052Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818821400Z'/\u003e\u003cEventRecordID\u003e2690\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2407,7 +2407,7 @@ }, "@timestamp": "2019-07-18T03:34:02.580Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2418,7 +2418,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739199300Z", + "ingested": "2022-01-12T05:19:53.803639427Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2507,7 +2507,7 @@ }, "@timestamp": "2019-07-18T03:34:02.628Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2518,7 +2518,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739203700Z", + "ingested": "2022-01-12T05:19:53.803639883Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2653,7 +2653,7 @@ }, "@timestamp": "2019-07-18T03:34:02.633Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2669,7 +2669,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739207800Z", + "ingested": "2022-01-12T05:19:53.803640312Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2792,7 +2792,7 @@ }, "@timestamp": "2019-07-18T03:34:02.716Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2806,7 +2806,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739211500Z", + "ingested": "2022-01-12T05:19:53.803640720Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2941,7 +2941,7 @@ }, "@timestamp": "2019-07-18T03:34:02.727Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2963,7 +2963,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739216300Z", + "ingested": "2022-01-12T05:19:53.803641222Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3056,7 +3056,7 @@ }, "@timestamp": "2019-07-18T03:34:02.733Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3069,7 +3069,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739221100Z", + "ingested": "2022-01-12T05:19:53.803641593Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3206,7 +3206,7 @@ }, "@timestamp": "2019-07-18T03:34:02.792Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3228,7 +3228,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739226200Z", + "ingested": "2022-01-12T05:19:53.803641935Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3361,7 +3361,7 @@ }, "@timestamp": "2019-07-18T03:34:02.792Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3377,7 +3377,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739231800Z", + "ingested": "2022-01-12T05:19:53.803642337Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3456,7 +3456,7 @@ }, "@timestamp": "2019-07-18T03:34:02.809Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3468,7 +3468,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739237400Z", + "ingested": "2022-01-12T05:19:53.803642694Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3592,7 +3592,7 @@ }, "@timestamp": "2019-07-18T03:34:02.821Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3607,7 +3607,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739243300Z", + "ingested": "2022-01-12T05:19:53.803643215Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3690,7 +3690,7 @@ }, "@timestamp": "2019-07-18T03:34:02.821Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3703,7 +3703,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739249100Z", + "ingested": "2022-01-12T05:19:53.803643592Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3827,7 +3827,7 @@ }, "@timestamp": "2019-07-18T03:34:02.828Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3841,7 +3841,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739254900Z", + "ingested": "2022-01-12T05:19:53.803643909Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3920,7 +3920,7 @@ }, "@timestamp": "2019-07-18T03:34:02.838Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3932,7 +3932,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739260700Z", + "ingested": "2022-01-12T05:19:53.803644315Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4011,7 +4011,7 @@ }, "@timestamp": "2019-07-18T03:34:02.839Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4023,7 +4023,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739266800Z", + "ingested": "2022-01-12T05:19:53.803644714Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4141,7 +4141,7 @@ }, "@timestamp": "2019-07-18T03:34:02.841Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4154,7 +4154,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739272600Z", + "ingested": "2022-01-12T05:19:53.803645047Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4261,7 +4261,7 @@ }, "@timestamp": "2019-07-18T03:34:02.844Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4278,7 +4278,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739278400Z", + "ingested": "2022-01-12T05:19:53.803645436Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4322,13 +4322,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739284300Z", + "ingested": "2022-01-12T05:19:53.803645858Z", "code": "16", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e16\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e16\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:37.933324000Z'/\u003e\u003cEventRecordID\u003e1\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4616' ThreadID='4724'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-3541430928-2051711210-1391384369-1001'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.933\u003c/Data\u003e\u003cData Name='Configuration'\u003eC:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n\u003c/Data\u003e\u003cData Name='ConfigurationFileHash'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4405,7 +4405,7 @@ }, "@timestamp": "2019-07-18T03:34:02.956Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4417,7 +4417,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739290300Z", + "ingested": "2022-01-12T05:19:53.803646309Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4531,7 +4531,7 @@ }, "@timestamp": "2019-07-18T03:34:03.005Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4543,7 +4543,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739296200Z", + "ingested": "2022-01-12T05:19:53.803646618Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4672,7 +4672,7 @@ }, "@timestamp": "2019-07-18T03:34:03.070Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4687,7 +4687,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739302Z", + "ingested": "2022-01-12T05:19:53.803646948Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4817,7 +4817,7 @@ }, "@timestamp": "2019-07-18T03:34:03.093Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4839,7 +4839,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739307800Z", + "ingested": "2022-01-12T05:19:53.803647272Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4918,7 +4918,7 @@ }, "@timestamp": "2019-07-18T03:34:03.099Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4930,7 +4930,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739313700Z", + "ingested": "2022-01-12T05:19:53.803647656Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5059,7 +5059,7 @@ }, "@timestamp": "2019-07-18T03:34:03.107Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -5081,7 +5081,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739319600Z", + "ingested": "2022-01-12T05:19:53.803648047Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5204,7 +5204,7 @@ }, "@timestamp": "2019-07-18T03:34:03.107Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -5225,7 +5225,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739324600Z", + "ingested": "2022-01-12T05:19:53.803648422Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5271,13 +5271,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739327900Z", + "ingested": "2022-01-12T05:19:53.803648853Z", "code": "4", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e4\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e2\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.011\u003c/Data\u003e\u003cData Name='State'\u003eStarted\u003c/Data\u003e\u003cData Name='Version'\u003e9.01\u003c/Data\u003e\u003cData Name='SchemaVersion'\u003e4.20\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5354,7 +5354,7 @@ }, "@timestamp": "2019-07-18T03:34:03.112Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -5366,7 +5366,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739332700Z", + "ingested": "2022-01-12T05:19:53.803649391Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5441,7 +5441,7 @@ }, "@timestamp": "2019-07-18T03:34:03.113Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -5452,7 +5452,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739337800Z", + "ingested": "2022-01-12T05:19:53.803649743Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5535,7 +5535,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -5549,7 +5549,7 @@ "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739342700Z", + "ingested": "2022-01-12T05:19:53.803650122Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e3\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.949\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-0010c73e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4860\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e9.01\u003c/Data\u003e\u003cData Name='Description'\u003eSystem activity monitor\u003c/Data\u003e\u003cData Name='Product'\u003eSysinternals Sysmon\u003c/Data\u003e\u003cData Name='Company'\u003eSysinternals - www.sysinternals.com\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0010f14d0000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e488\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\services.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\services.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5648,7 +5648,7 @@ }, "@timestamp": "2019-07-18T03:34:03.146Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -5662,7 +5662,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739346500Z", + "ingested": "2022-01-12T05:19:53.803650822Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5781,7 +5781,7 @@ }, "@timestamp": "2019-07-18T03:34:03.146Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -5801,7 +5801,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739351200Z", + "ingested": "2022-01-12T05:19:53.803651246Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5856,6 +5856,7 @@ "executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe", "command_line": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding" }, + "@timestamp": "2019-03-18T16:57:37.964Z", "winlog": { "computer_name": "vagrant-2012-r2", "record_id": "4", @@ -5885,9 +5886,8 @@ "identifier": "S-1-5-18" } }, - "@timestamp": "2019-03-18T16:57:37.964Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -5904,7 +5904,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:44.739357200Z", + "ingested": "2022-01-12T05:19:53.803651763Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e4\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.964\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-00102c412a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5028\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\unsecapp.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eSink to receive asynchronous callbacks for WMI client application\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6027,7 +6027,7 @@ }, "@timestamp": "2019-07-18T03:34:03.182Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6048,7 +6048,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739360800Z", + "ingested": "2022-01-12T05:19:53.803652106Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6135,7 +6135,7 @@ }, "@timestamp": "2019-07-18T03:34:03.183Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6149,7 +6149,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739364600Z", + "ingested": "2022-01-12T05:19:53.803652512Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6279,7 +6279,7 @@ }, "@timestamp": "2019-07-18T03:34:03.222Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6298,7 +6298,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739368Z", + "ingested": "2022-01-12T05:19:53.803652908Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6386,7 +6386,7 @@ }, "@timestamp": "2019-07-18T03:34:03.271Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6399,7 +6399,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739372700Z", + "ingested": "2022-01-12T05:19:53.803653272Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6507,7 +6507,7 @@ }, "@timestamp": "2019-07-18T03:34:03.271Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6525,7 +6525,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739377900Z", + "ingested": "2022-01-12T05:19:53.803653748Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6608,7 +6608,7 @@ }, "@timestamp": "2019-07-18T03:34:03.290Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6621,7 +6621,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739383100Z", + "ingested": "2022-01-12T05:19:53.803654218Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6700,7 +6700,7 @@ }, "@timestamp": "2019-07-18T03:34:03.292Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6712,7 +6712,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739389Z", + "ingested": "2022-01-12T05:19:53.803654589Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6778,7 +6778,7 @@ }, "@timestamp": "2019-07-18T03:34:03.315Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6786,7 +6786,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739395Z", + "ingested": "2022-01-12T05:19:53.803654919Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802587100Z'/\u003e\u003cEventRecordID\u003e118\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6852,7 +6852,7 @@ }, "@timestamp": "2019-07-18T03:34:03.315Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6860,7 +6860,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739400900Z", + "ingested": "2022-01-12T05:19:53.803655292Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802678700Z'/\u003e\u003cEventRecordID\u003e119\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6907,13 +6907,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739406800Z", + "ingested": "2022-01-12T05:19:53.803655634Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e5\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7035,7 +7035,7 @@ }, "@timestamp": "2019-07-18T03:34:03.333Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -7056,7 +7056,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739412600Z", + "ingested": "2022-01-12T05:19:53.803656014Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7144,7 +7144,7 @@ }, "@timestamp": "2019-07-18T03:34:03.343Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -7157,7 +7157,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739418600Z", + "ingested": "2022-01-12T05:19:53.803656394Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7236,7 +7236,7 @@ }, "@timestamp": "2019-07-18T03:34:03.391Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -7248,7 +7248,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739424500Z", + "ingested": "2022-01-12T05:19:53.803656782Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7295,13 +7295,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739430400Z", + "ingested": "2022-01-12T05:19:53.803657299Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e6\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010071e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4648\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\Downloads\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7423,7 +7423,7 @@ }, "@timestamp": "2019-07-18T03:34:03.393Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -7444,7 +7444,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739438200Z", + "ingested": "2022-01-12T05:19:53.803657770Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7530,7 +7530,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -7544,7 +7544,7 @@ "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739444700Z", + "ingested": "2022-01-12T05:19:53.803658252Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:39.012744700Z'/\u003e\u003cEventRecordID\u003e7\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:39.012\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce03-5c8f-0000-0010e9462a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4508\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eWMI Provider Host\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7609,7 +7609,7 @@ }, "@timestamp": "2019-03-18T16:57:47.847Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -7620,7 +7620,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739450500Z", + "ingested": "2022-01-12T05:19:53.803658764Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7688,7 +7688,7 @@ }, "@timestamp": "2019-03-18T16:57:48.070Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -7700,7 +7700,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739456400Z", + "ingested": "2022-01-12T05:19:53.803659196Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e9\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7768,7 +7768,7 @@ }, "@timestamp": "2019-03-18T16:57:48.148Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -7780,7 +7780,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739462400Z", + "ingested": "2022-01-12T05:19:53.803659797Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7848,7 +7848,7 @@ }, "@timestamp": "2019-03-18T16:57:48.214Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -7860,7 +7860,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739468300Z", + "ingested": "2022-01-12T05:19:53.803660267Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7950,7 +7950,7 @@ }, "@timestamp": "2019-07-18T03:34:03.468Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -7963,7 +7963,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739474100Z", + "ingested": "2022-01-12T05:19:53.803660871Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8087,7 +8087,7 @@ }, "@timestamp": "2019-07-18T03:34:03.581Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -8108,7 +8108,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739480Z", + "ingested": "2022-01-12T05:19:53.803661238Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8173,7 +8173,7 @@ }, "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8185,7 +8185,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739483800Z", + "ingested": "2022-01-12T05:19:53.803661622Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e12\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8266,7 +8266,7 @@ }, "@timestamp": "2019-07-18T03:34:03.872Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -8278,7 +8278,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739488300Z", + "ingested": "2022-01-12T05:19:53.803662007Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8350,7 +8350,7 @@ }, "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8362,7 +8362,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739493400Z", + "ingested": "2022-01-12T05:19:53.803662492Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e13\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8458,7 +8458,7 @@ }, "@timestamp": "2019-07-18T03:34:03.889Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -8470,7 +8470,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739498700Z", + "ingested": "2022-01-12T05:19:53.803662824Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8536,7 +8536,7 @@ }, "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8548,7 +8548,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739502500Z", + "ingested": "2022-01-12T05:19:53.803663152Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e14\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:e488:b85c:5262:ff86\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8615,7 +8615,7 @@ }, "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8626,7 +8626,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739507200Z", + "ingested": "2022-01-12T05:19:53.803663545Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8692,7 +8692,7 @@ }, "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8703,7 +8703,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739513Z", + "ingested": "2022-01-12T05:19:53.803664077Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8769,7 +8769,7 @@ }, "@timestamp": "2019-03-18T16:57:48.251Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8780,7 +8780,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739516600Z", + "ingested": "2022-01-12T05:19:53.803664590Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8847,7 +8847,7 @@ }, "@timestamp": "2019-03-18T16:57:48.251Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8859,7 +8859,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739520400Z", + "ingested": "2022-01-12T05:19:53.803665093Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e18\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:616f:32fa:b04f:b419\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8926,7 +8926,7 @@ }, "@timestamp": "2019-03-18T16:57:48.251Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8937,7 +8937,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739523800Z", + "ingested": "2022-01-12T05:19:53.803665604Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9004,7 +9004,7 @@ }, "@timestamp": "2019-03-18T16:57:48.264Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -9019,7 +9019,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:44.739528500Z", + "ingested": "2022-01-12T05:19:53.803665998Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9086,7 +9086,7 @@ }, "@timestamp": "2019-03-18T16:57:48.276Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -9101,7 +9101,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:49:44.739533700Z", + "ingested": "2022-01-12T05:19:53.803666372Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e21\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.276\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9168,7 +9168,7 @@ }, "@timestamp": "2019-03-18T16:57:49.213Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -9180,7 +9180,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739538900Z", + "ingested": "2022-01-12T05:19:53.803666771Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9276,7 +9276,7 @@ }, "@timestamp": "2019-07-18T03:34:03.890Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -9288,7 +9288,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739544700Z", + "ingested": "2022-01-12T05:19:53.803667096Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9368,7 +9368,7 @@ }, "@timestamp": "2019-07-18T03:34:03.892Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -9379,7 +9379,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739550700Z", + "ingested": "2022-01-12T05:19:53.803667451Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9503,7 +9503,7 @@ }, "@timestamp": "2019-07-18T03:34:03.894Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -9524,7 +9524,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739556500Z", + "ingested": "2022-01-12T05:19:53.803667778Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9653,7 +9653,7 @@ }, "@timestamp": "2019-07-18T03:34:03.894Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -9673,7 +9673,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739562300Z", + "ingested": "2022-01-12T05:19:53.803668193Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9803,7 +9803,7 @@ }, "@timestamp": "2019-07-18T03:34:03.902Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -9824,7 +9824,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739568200Z", + "ingested": "2022-01-12T05:19:53.803668569Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9948,7 +9948,7 @@ }, "@timestamp": "2019-07-18T03:34:03.911Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -9969,7 +9969,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739574100Z", + "ingested": "2022-01-12T05:19:53.803668957Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10057,7 +10057,7 @@ }, "@timestamp": "2019-07-18T03:34:03.911Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -10070,7 +10070,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739580Z", + "ingested": "2022-01-12T05:19:53.803669329Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10164,7 +10164,7 @@ }, "@timestamp": "2019-07-18T03:34:03.921Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -10176,7 +10176,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739585800Z", + "ingested": "2022-01-12T05:19:53.803669698Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10255,7 +10255,7 @@ }, "@timestamp": "2019-07-18T03:34:04.101Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -10267,7 +10267,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739591600Z", + "ingested": "2022-01-12T05:19:53.803670149Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10391,7 +10391,7 @@ }, "@timestamp": "2019-07-18T03:34:04.137Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -10409,7 +10409,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739597500Z", + "ingested": "2022-01-12T05:19:53.803670550Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10543,7 +10543,7 @@ }, "@timestamp": "2019-07-18T03:34:04.141Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -10562,7 +10562,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739603600Z", + "ingested": "2022-01-12T05:19:53.803670978Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10685,7 +10685,7 @@ }, "@timestamp": "2019-07-18T03:34:04.168Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -10699,7 +10699,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739609500Z", + "ingested": "2022-01-12T05:19:53.803671321Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10764,7 +10764,7 @@ }, "@timestamp": "2019-03-18T16:57:49.218Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -10776,7 +10776,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739615300Z", + "ingested": "2022-01-12T05:19:53.803671742Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10825,13 +10825,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739621100Z", + "ingested": "2022-01-12T05:19:53.803672127Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.354274600Z'/\u003e\u003cEventRecordID\u003e24\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.350\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccc6-5c8f-0000-001005082900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4832\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10876,13 +10876,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739627Z", + "ingested": "2022-01-12T05:19:53.803672648Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.364042800Z'/\u003e\u003cEventRecordID\u003e25\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.364\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cccc-5c8f-0000-0010e8272900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3208\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10937,13 +10937,13 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739633Z", + "ingested": "2022-01-12T05:19:53.803673194Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.402119100Z'/\u003e\u003cEventRecordID\u003e26\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10998,13 +10998,13 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739636900Z", + "ingested": "2022-01-12T05:19:53.803673517Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e27\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11059,13 +11059,13 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739641500Z", + "ingested": "2022-01-12T05:19:53.803673936Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e28\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.028\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11120,13 +11120,13 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739646400Z", + "ingested": "2022-01-12T05:19:53.803674428Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e29\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:51:54.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11178,13 +11178,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739651900Z", + "ingested": "2022-01-12T05:19:53.803675159Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e30\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccab-5c8f-0000-001064eb2700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2680\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11239,13 +11239,13 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.739655600Z", + "ingested": "2022-01-12T05:19:53.803675646Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e31\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:08.496\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11326,7 +11326,7 @@ }, "@timestamp": "2019-07-18T03:34:04.169Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -11339,7 +11339,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739660300Z", + "ingested": "2022-01-12T05:19:53.803676137Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11468,7 +11468,7 @@ }, "@timestamp": "2019-07-18T03:34:04.169Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -11487,7 +11487,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739666Z", + "ingested": "2022-01-12T05:19:53.803676571Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11570,7 +11570,7 @@ }, "@timestamp": "2019-07-18T03:34:04.184Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -11583,7 +11583,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739669700Z", + "ingested": "2022-01-12T05:19:53.803676961Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11712,7 +11712,7 @@ }, "@timestamp": "2019-07-18T03:34:04.184Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -11727,7 +11727,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739673500Z", + "ingested": "2022-01-12T05:19:53.803677298Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11851,7 +11851,7 @@ }, "@timestamp": "2019-07-18T03:34:04.185Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -11872,7 +11872,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739676900Z", + "ingested": "2022-01-12T05:19:53.803677612Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11974,7 +11974,7 @@ }, "@timestamp": "2019-07-18T03:34:04.189Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -11988,7 +11988,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739681400Z", + "ingested": "2022-01-12T05:19:53.803677988Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12118,7 +12118,7 @@ }, "@timestamp": "2019-07-18T03:34:04.237Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12140,7 +12140,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739686700Z", + "ingested": "2022-01-12T05:19:53.803678328Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12244,7 +12244,7 @@ }, "@timestamp": "2019-07-18T03:34:04.274Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12256,7 +12256,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739691900Z", + "ingested": "2022-01-12T05:19:53.803678653Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12331,7 +12331,7 @@ }, "@timestamp": "2019-07-18T03:34:04.302Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12342,7 +12342,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739697800Z", + "ingested": "2022-01-12T05:19:53.803679080Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12466,7 +12466,7 @@ }, "@timestamp": "2019-07-18T03:34:04.304Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12487,7 +12487,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739703600Z", + "ingested": "2022-01-12T05:19:53.803679452Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12581,7 +12581,7 @@ }, "@timestamp": "2019-07-18T03:34:04.322Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12593,7 +12593,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739709300Z", + "ingested": "2022-01-12T05:19:53.803679776Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12667,7 +12667,7 @@ }, "@timestamp": "2019-07-18T03:34:04.379Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12678,7 +12678,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739715200Z", + "ingested": "2022-01-12T05:19:53.803680184Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12802,7 +12802,7 @@ }, "@timestamp": "2019-07-18T03:34:04.482Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12823,7 +12823,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739721200Z", + "ingested": "2022-01-12T05:19:53.803680522Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12948,7 +12948,7 @@ }, "@timestamp": "2019-07-18T03:34:04.502Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12969,7 +12969,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739727100Z", + "ingested": "2022-01-12T05:19:53.803680841Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13073,7 +13073,7 @@ }, "@timestamp": "2019-07-18T03:34:04.507Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13085,7 +13085,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739732900Z", + "ingested": "2022-01-12T05:19:53.803681240Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13209,7 +13209,7 @@ }, "@timestamp": "2019-07-18T03:34:04.508Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13223,7 +13223,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739738700Z", + "ingested": "2022-01-12T05:19:53.803681672Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13336,7 +13336,7 @@ }, "@timestamp": "2019-07-18T03:34:04.531Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13352,7 +13352,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739744500Z", + "ingested": "2022-01-12T05:19:53.803682053Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13465,7 +13465,7 @@ }, "@timestamp": "2019-07-18T03:34:04.532Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13483,7 +13483,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739750500Z", + "ingested": "2022-01-12T05:19:53.803682433Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13617,7 +13617,7 @@ }, "@timestamp": "2019-07-18T03:34:04.534Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13633,7 +13633,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739756300Z", + "ingested": "2022-01-12T05:19:53.803682884Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13758,7 +13758,7 @@ }, "@timestamp": "2019-07-18T03:34:04.601Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13779,7 +13779,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739762100Z", + "ingested": "2022-01-12T05:19:53.803683267Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13897,7 +13897,7 @@ }, "@timestamp": "2019-07-18T03:34:04.604Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13917,7 +13917,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739768Z", + "ingested": "2022-01-12T05:19:53.803683769Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14041,7 +14041,7 @@ }, "@timestamp": "2019-07-18T03:34:04.621Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14062,7 +14062,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739773800Z", + "ingested": "2022-01-12T05:19:53.803684212Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14186,7 +14186,7 @@ }, "@timestamp": "2019-07-18T03:34:04.822Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14207,7 +14207,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739779500Z", + "ingested": "2022-01-12T05:19:53.803684647Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14290,7 +14290,7 @@ }, "@timestamp": "2019-07-18T03:34:04.822Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14303,7 +14303,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739785400Z", + "ingested": "2022-01-12T05:19:53.803685122Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14432,7 +14432,7 @@ }, "@timestamp": "2019-07-18T03:34:04.860Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14446,7 +14446,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739790Z", + "ingested": "2022-01-12T05:19:53.803685648Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14529,7 +14529,7 @@ }, "@timestamp": "2019-07-18T03:34:04.904Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14542,7 +14542,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739793300Z", + "ingested": "2022-01-12T05:19:53.803686122Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14636,7 +14636,7 @@ }, "@timestamp": "2019-07-18T03:34:04.911Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14648,7 +14648,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739798Z", + "ingested": "2022-01-12T05:19:53.803686508Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14732,7 +14732,7 @@ }, "@timestamp": "2019-07-18T03:34:06.056Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14744,7 +14744,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739802900Z", + "ingested": "2022-01-12T05:19:53.803686893Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14828,7 +14828,7 @@ }, "@timestamp": "2019-07-18T03:34:06.064Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14840,7 +14840,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739808Z", + "ingested": "2022-01-12T05:19:53.803687284Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14923,7 +14923,7 @@ }, "@timestamp": "2019-07-18T03:34:06.178Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14936,7 +14936,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739811800Z", + "ingested": "2022-01-12T05:19:53.803687604Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15020,7 +15020,7 @@ }, "@timestamp": "2019-07-18T03:34:06.455Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15032,7 +15032,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739816200Z", + "ingested": "2022-01-12T05:19:53.803688104Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15111,7 +15111,7 @@ }, "@timestamp": "2019-07-18T03:34:06.494Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15123,7 +15123,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739822Z", + "ingested": "2022-01-12T05:19:53.803688586Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15211,7 +15211,7 @@ }, "@timestamp": "2019-07-18T03:34:06.567Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15224,7 +15224,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739826Z", + "ingested": "2022-01-12T05:19:53.803689062Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15307,7 +15307,7 @@ }, "@timestamp": "2019-07-18T03:34:07.228Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15320,7 +15320,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739829900Z", + "ingested": "2022-01-12T05:19:53.803689400Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15414,7 +15414,7 @@ }, "@timestamp": "2019-07-18T03:34:07.357Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15428,7 +15428,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739833300Z", + "ingested": "2022-01-12T05:19:53.803689798Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15511,7 +15511,7 @@ }, "@timestamp": "2019-07-18T03:34:07.721Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15524,7 +15524,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739837900Z", + "ingested": "2022-01-12T05:19:53.803690128Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15607,7 +15607,7 @@ }, "@timestamp": "2019-07-18T03:34:07.774Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15620,7 +15620,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739843200Z", + "ingested": "2022-01-12T05:19:53.803690466Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15703,7 +15703,7 @@ }, "@timestamp": "2019-07-18T03:34:07.847Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15716,7 +15716,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739848400Z", + "ingested": "2022-01-12T05:19:53.803690900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15846,7 +15846,7 @@ }, "@timestamp": "2019-07-18T03:34:07.943Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15868,7 +15868,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739854300Z", + "ingested": "2022-01-12T05:19:53.803691402Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15962,7 +15962,7 @@ }, "@timestamp": "2019-07-18T03:34:07.945Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15975,7 +15975,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739860100Z", + "ingested": "2022-01-12T05:19:53.803692149Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16067,7 +16067,7 @@ }, "@timestamp": "2019-07-18T03:34:07.954Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16078,7 +16078,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739866Z", + "ingested": "2022-01-12T05:19:53.803692597Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16203,7 +16203,7 @@ }, "@timestamp": "2019-07-18T03:34:07.955Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16224,7 +16224,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739871800Z", + "ingested": "2022-01-12T05:19:53.803692920Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16299,7 +16299,7 @@ }, "@timestamp": "2019-07-18T03:34:07.955Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16310,7 +16310,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739877800Z", + "ingested": "2022-01-12T05:19:53.803693342Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16393,7 +16393,7 @@ }, "@timestamp": "2019-07-18T03:34:07.956Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16406,7 +16406,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739883500Z", + "ingested": "2022-01-12T05:19:53.803693830Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16535,7 +16535,7 @@ }, "@timestamp": "2019-07-18T03:34:08.019Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16554,7 +16554,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739890900Z", + "ingested": "2022-01-12T05:19:53.803694263Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16633,7 +16633,7 @@ }, "@timestamp": "2019-07-18T03:34:08.050Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16645,7 +16645,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739897300Z", + "ingested": "2022-01-12T05:19:53.803694582Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16728,7 +16728,7 @@ }, "@timestamp": "2019-07-18T03:34:08.070Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16741,7 +16741,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739903200Z", + "ingested": "2022-01-12T05:19:53.803694957Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16868,7 +16868,7 @@ }, "@timestamp": "2019-07-18T03:34:08.090Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16883,7 +16883,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739908900Z", + "ingested": "2022-01-12T05:19:53.803695285Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17016,7 +17016,7 @@ }, "@timestamp": "2019-07-18T03:34:08.308Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -17032,7 +17032,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739914600Z", + "ingested": "2022-01-12T05:19:53.803695615Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17115,7 +17115,7 @@ }, "@timestamp": "2019-07-18T03:34:08.478Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -17128,7 +17128,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739920400Z", + "ingested": "2022-01-12T05:19:53.803695998Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17257,7 +17257,7 @@ }, "@timestamp": "2019-07-18T03:34:08.536Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -17272,7 +17272,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739926300Z", + "ingested": "2022-01-12T05:19:53.803696362Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17402,7 +17402,7 @@ }, "@timestamp": "2019-07-18T03:34:08.544Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -17424,7 +17424,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739932100Z", + "ingested": "2022-01-12T05:19:53.803696728Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17549,7 +17549,7 @@ }, "@timestamp": "2019-07-18T03:34:08.550Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -17569,7 +17569,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739938400Z", + "ingested": "2022-01-12T05:19:53.803697404Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17689,7 +17689,7 @@ }, "@timestamp": "2019-07-18T03:34:08.552Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -17700,7 +17700,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739944400Z", + "ingested": "2022-01-12T05:19:53.803697793Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17830,7 +17830,7 @@ }, "@timestamp": "2019-07-18T03:34:08.552Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -17851,7 +17851,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739948300Z", + "ingested": "2022-01-12T05:19:53.803698280Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18185,7 +18185,7 @@ }, "@timestamp": "2019-07-18T03:34:08.594Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18219,7 +18219,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739952900Z", + "ingested": "2022-01-12T05:19:53.803698674Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18363,7 +18363,7 @@ }, "@timestamp": "2019-07-18T03:34:08.619Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18377,7 +18377,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739957800Z", + "ingested": "2022-01-12T05:19:53.803699124Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18463,7 +18463,7 @@ }, "@timestamp": "2019-07-18T03:34:08.620Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18475,7 +18475,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739962900Z", + "ingested": "2022-01-12T05:19:53.803699592Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18562,7 +18562,7 @@ }, "@timestamp": "2019-07-18T03:34:08.811Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18576,7 +18576,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739966700Z", + "ingested": "2022-01-12T05:19:53.803700055Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18642,7 +18642,7 @@ }, "@timestamp": "2019-07-18T03:34:08.912Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18650,7 +18650,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739971300Z", + "ingested": "2022-01-12T05:19:53.803700390Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067946300Z'/\u003e\u003cEventRecordID\u003e200\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.912\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18733,7 +18733,7 @@ }, "@timestamp": "2019-07-18T03:34:09.016Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18746,7 +18746,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739977200Z", + "ingested": "2022-01-12T05:19:53.803700730Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18876,7 +18876,7 @@ }, "@timestamp": "2019-07-18T03:34:09.048Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18894,7 +18894,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.739980800Z", + "ingested": "2022-01-12T05:19:53.803701130Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19024,7 +19024,7 @@ }, "@timestamp": "2019-07-18T03:34:09.051Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19043,7 +19043,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740019100Z", + "ingested": "2022-01-12T05:19:53.803701523Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19126,7 +19126,7 @@ }, "@timestamp": "2019-07-18T03:34:09.054Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19139,7 +19139,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740026200Z", + "ingested": "2022-01-12T05:19:53.803701849Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19263,7 +19263,7 @@ }, "@timestamp": "2019-07-18T03:34:09.126Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19284,7 +19284,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740032200Z", + "ingested": "2022-01-12T05:19:53.803702175Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19415,7 +19415,7 @@ }, "@timestamp": "2019-07-18T03:34:09.184Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19436,7 +19436,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740038100Z", + "ingested": "2022-01-12T05:19:53.803702577Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19559,7 +19559,7 @@ }, "@timestamp": "2019-07-18T03:34:09.322Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19573,7 +19573,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740043900Z", + "ingested": "2022-01-12T05:19:53.803702943Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19685,7 +19685,7 @@ }, "@timestamp": "2019-07-18T03:34:09.730Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19704,7 +19704,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740049700Z", + "ingested": "2022-01-12T05:19:53.803703268Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19794,7 +19794,7 @@ }, "@timestamp": "2019-07-18T03:34:10.627Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19807,7 +19807,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740055500Z", + "ingested": "2022-01-12T05:19:53.803703672Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19897,7 +19897,7 @@ }, "@timestamp": "2019-07-18T03:34:10.650Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19910,7 +19910,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740061500Z", + "ingested": "2022-01-12T05:19:53.803704056Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20034,7 +20034,7 @@ }, "@timestamp": "2019-07-18T03:34:16.329Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20055,7 +20055,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740067300Z", + "ingested": "2022-01-12T05:19:53.803704396Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20150,7 +20150,7 @@ }, "@timestamp": "2019-07-18T03:34:16.386Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20166,7 +20166,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740073100Z", + "ingested": "2022-01-12T05:19:53.803704753Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.168.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20296,7 +20296,7 @@ }, "@timestamp": "2019-07-18T03:34:16.482Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20315,7 +20315,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740079100Z", + "ingested": "2022-01-12T05:19:53.803705073Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20394,7 +20394,7 @@ }, "@timestamp": "2019-07-18T03:34:19.578Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20406,7 +20406,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740085Z", + "ingested": "2022-01-12T05:19:53.803705404Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20489,7 +20489,7 @@ }, "@timestamp": "2019-07-18T03:34:31.219Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20502,7 +20502,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740091Z", + "ingested": "2022-01-12T05:19:53.803705721Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20581,7 +20581,7 @@ }, "@timestamp": "2019-07-18T03:39:02.752Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20593,7 +20593,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740095Z", + "ingested": "2022-01-12T05:19:53.803706099Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20659,7 +20659,7 @@ }, "@timestamp": "2019-07-18T03:39:20.413Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20667,7 +20667,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740099700Z", + "ingested": "2022-01-12T05:19:53.803706449Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:22.432153100Z'/\u003e\u003cEventRecordID\u003e221\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:20.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003eisatap.local.crowbird.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20730,7 +20730,7 @@ }, "@timestamp": "2019-07-18T03:39:40.504Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20738,7 +20738,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740104800Z", + "ingested": "2022-01-12T05:19:53.803706862Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:42.554539300Z'/\u003e\u003cEventRecordID\u003e230\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:40.504\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e9f7-5d2f-0000-001031039c00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e676\u003c/Data\u003e\u003cData Name='QueryName'\u003epuppet\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20801,7 +20801,7 @@ }, "@timestamp": "2019-07-18T03:40:40.433Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20809,7 +20809,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740109600Z", + "ingested": "2022-01-12T05:19:53.803707213Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:40:42.447293700Z'/\u003e\u003cEventRecordID\u003e231\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:40:40.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-001016f70000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e636\u003c/Data\u003e\u003cData Name='QueryName'\u003ewpad\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20896,7 +20896,7 @@ }, "@timestamp": "2019-07-18T03:42:54.033Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20910,7 +20910,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740113400Z", + "ingested": "2022-01-12T05:19:53.803707527Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20989,7 +20989,7 @@ }, "@timestamp": "2019-07-18T03:43:04.400Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -21001,7 +21001,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740118100Z", + "ingested": "2022-01-12T05:19:53.803707850Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21085,7 +21085,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -21099,7 +21099,7 @@ "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.740122Z", + "ingested": "2022-01-12T05:19:53.803708167Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-27T20:00:14.324234100Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='7144' ThreadID='6876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-27 20:00:14.320\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-7c4e-5f98-5803-000000000500}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\notepad.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.475 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eNotepad\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eNOTEPAD.EXE\u003c/Data\u003e\u003cData Name='CommandLine'\u003e\"C:\\Windows\\system32\\notepad.exe\" \u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Users\\vagrant\\\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{9f32b55f-6fdd-5f98-e7c9-020000000000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x2c9e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e1\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eMedium\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=B6D237154F2E528F0B503B58B025862D66B02B73\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{9f32b55f-6fdf-5f98-7000-000000000500}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e4212\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21146,7 +21146,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" @@ -21155,7 +21155,7 @@ "name": "DESKTOP-I9CQVAQ" }, "event": { - "ingested": "2021-12-09T13:49:44.740125600Z", + "ingested": "2022-01-12T05:19:53.803708561Z", "code": "25", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e25\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e25\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T14:43:23.551269400Z'/\u003e\u003cEventRecordID\u003e10737797\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='5080'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 14:43:23.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-b78b-6037-6f13-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2628\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe\u003c/Data\u003e\u003cData Name='Type'\u003eImage is replaced\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21208,9 +21208,6 @@ "is_executable": false } }, - "log": { - "level": "information" - }, "@timestamp": "2020-05-12T06:48:27.084Z", "file": { "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d", @@ -21218,7 +21215,7 @@ "directory": "C:\\Windows\\System32\\LogFiles\\Scm" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -21228,8 +21225,11 @@ "5a9bddf83be530b481f0fd24db28a6ff" ] }, + "log": { + "level": "information" + }, "event": { - "ingested": "2021-12-09T13:49:44.740129600Z", + "ingested": "2022-01-12T05:19:53.803708900Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-12T06:48:27.084044200Z'/\u003e\u003cEventRecordID\u003e2243\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1188' ThreadID='1600'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-12 06:48:27.084\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-4664-5eba-91ae-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e820\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21255,6 +21255,7 @@ "entity_id": "{9f32b55f-d9de-5f98-f006-000000000600}", "executable": "C:\\Windows\\System32\\dllhost.exe" }, + "@timestamp": "2020-10-28T02:39:26.374Z", "winlog": { "computer_name": "vagrant", "record_id": "10685", @@ -21283,7 +21284,6 @@ "identifier": "S-1-5-18" } }, - "@timestamp": "2020-10-28T02:39:26.374Z", "file": { "path": "C:\\Windows\\System32\\IDStore.dll", "extension": "dll", @@ -21309,7 +21309,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hash": [ @@ -21323,7 +21323,7 @@ "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.740132900Z", + "ingested": "2022-01-12T05:19:53.803709222Z", "code": "7", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e7\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e7\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-28T02:39:26.388325200Z'/\u003e\u003cEventRecordID\u003e10685\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1676' ThreadID='4796'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-28 02:39:26.374\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-d9de-5f98-f006-000000000600}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5184\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\dllhost.exe\u003c/Data\u003e\u003cData Name='ImageLoaded'\u003eC:\\Windows\\System32\\IDStore.dll\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.1 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eIdentity Store\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eIdStore.dll\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=9955A1C071C44A7CEECC0D928A9CFB7F64CC3F93,MD5=C7C45610F644906E6F7D664EF2E45B08,SHA256=4808F1101F4E42387D8DDB7A355668BAE3BF6F781C42D3BCD82E23446B1DEB3E,IMPHASH=194F3797B52231028C718B6D776C6853\u003c/Data\u003e\u003cData Name='Signed'\u003etrue\u003c/Data\u003e\u003cData Name='Signature'\u003eMicrosoft Windows\u003c/Data\u003e\u003cData Name='SignatureStatus'\u003eValid\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21377,13 +21377,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.740137300Z", + "ingested": "2022-01-12T05:19:53.803709543Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818869100Z'/\u003e\u003cEventRecordID\u003e2691\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21439,23 +21439,23 @@ "archived": true } }, - "log": { - "level": "information" - }, "@timestamp": "2021-02-25T15:04:48.592Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hash": [ "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" ] }, + "log": { + "level": "information" + }, "host": { "name": "DESKTOP-I9CQVAQ" }, "event": { - "ingested": "2021-12-09T13:49:44.740143400Z", + "ingested": "2022-01-12T05:19:53.803709925Z", "code": "24", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e24\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e24\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T15:04:48.607343500Z'/\u003e\u003cEventRecordID\u003e10757412\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='6444'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 15:04:48.592\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-aa1b-602f-a600-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2144\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\u003c/Data\u003e\u003cData Name='Session'\u003e1\u003c/Data\u003e\u003cData Name='ClientInfo'\u003euser: DESKTOP-I9CQVAQ\\luks\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=7ADB1CF1A75973079C055F929573AE92557A8C0E5B0E38A6A5427E412FB73D59,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21507,13 +21507,13 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:49:44.740149300Z", + "ingested": "2022-01-12T05:19:53.803710256Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e32\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.339\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21624,7 +21624,7 @@ }, "@timestamp": "2019-07-18T03:49:51.154Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -21643,7 +21643,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:49:44.740155100Z", + "ingested": "2022-01-12T05:19:53.803710586Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml index 117f7288a94..6d94b1bfe64 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml @@ -24,7 +24,7 @@ processors: - set: field: ecs.version - value: '1.12.0' + value: '8.0.0' - set: field: log.level copy_from: winlog.level diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml index d508f0d7341..90e4f573fa1 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml @@ -26,7 +26,7 @@ processors: - set: field: ecs.version - value: '1.12.0' + value: '8.0.0' - set: field: log.level copy_from: winlog.level diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml index 3916709c2d8..7b5137c3245 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml @@ -3153,7 +3153,7 @@ processors: - set: field: ecs.version - value: '1.12.0' + value: '8.0.0' - set: field: log.level diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml index 4d277cd4dad..d873c4b2a20 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml @@ -5,7 +5,7 @@ processors: - set: field: ecs.version - value: '1.12.0' + value: '8.0.0' - rename: field: winlog.level target_field: log.level diff --git a/packages/windows/data_stream/forwarded/sample_event.json b/packages/windows/data_stream/forwarded/sample_event.json index 65e919fcd44..33ffd9fa42b 100644 --- a/packages/windows/data_stream/forwarded/sample_event.json +++ b/packages/windows/data_stream/forwarded/sample_event.json @@ -1,12 +1,11 @@ { "@timestamp": "2020-05-13T09:04:04.755Z", "agent": { - "ephemeral_id": "0db86869-9076-44ed-acbc-32415bdaa793", - "hostname": "docker-fleet-agent", - "id": "8a695e28-aed6-4bbf-90be-5a9b7f99eab9", + "ephemeral_id": "f883378c-95a9-4517-b5b8-249266a41a95", + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.14.0" + "version": "8.0.0-beta1" }, "data_stream": { "dataset": "windows.forwarded", @@ -14,20 +13,20 @@ "type": "logs" }, "ecs": { - "version": "1.10.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "24ec544f-3818-44a4-ac26-223be6af154a", - "snapshot": true, - "version": "7.14.0" + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "snapshot": false, + "version": "8.0.0-beta1" }, "event": { - "agent_id_status": "agent_id_mismatch", + "agent_id_status": "verified", "category": "process", "code": "4105", - "created": "2021-06-14T13:42:42.623Z", + "created": "2022-01-12T05:23:24.033Z", "dataset": "windows.forwarded", - "ingested": "2021-06-14T13:42:43.671136100Z", + "ingested": "2022-01-12T05:23:25Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", diff --git a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json index ba9b68dedcd..cf627331c69 100644 --- a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json @@ -23,7 +23,7 @@ "provider_name": "PowerShell" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" @@ -47,7 +47,7 @@ }, "event": { "sequence": 35, - "ingested": "2021-12-09T13:50:22.454903100Z", + "ingested": "2022-01-12T05:21:30.519545468Z", "code": "600", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", @@ -82,7 +82,7 @@ "provider_name": "PowerShell" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" @@ -103,7 +103,7 @@ }, "event": { "sequence": 13, - "ingested": "2021-12-09T13:50:22.454906900Z", + "ingested": "2022-01-12T05:21:30.519547354Z", "code": "400", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:00:30.891423500Z'/\u003e\u003cEventRecordID\u003e1492\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:01:14.371507600Z'/\u003e\u003cEventRecordID\u003e1511\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:32:51.989256800Z'/\u003e\u003cEventRecordID\u003e1579\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:27.747227500Z'/\u003e\u003cEventRecordID\u003e18591\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", @@ -165,7 +165,7 @@ "directory": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -205,7 +205,7 @@ }, "event": { "sequence": 17, - "ingested": "2021-12-09T13:50:22.454911400Z", + "ingested": "2022-01-12T05:21:30.519547795Z", "code": "800", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-02-26T09:37:40.487241500Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant-2019\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=17\n\n\tUserId=VAGRANT-2019\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=ac3c99ce-7983-4996-807e-6a689eaba50b\n\tHostApplication=powershell -executionpolicy bypass \u0026amp; { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026amp;'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6a447a2c-693e-4d41-948d-129b455b2569\n\tPipelineId=1\n\tScriptName=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1\n\tCommandLine= Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.IO.Compression.FileSystem\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.376993100Z'/\u003e\u003cEventRecordID\u003e1843\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=135\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003eCommandInvocation(Set-StrictMode): \"Set-StrictMode\"\nParameterBinding(Set-StrictMode): name=\"Version\"; value=\"1.0\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1846\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eImport-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1847\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u003c/Data\u003e\u003cData\u003eCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", @@ -240,7 +240,7 @@ "provider_name": "PowerShell" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" @@ -261,7 +261,7 @@ }, "event": { "sequence": 33, - "ingested": "2021-12-09T13:50:22.454914900Z", + "ingested": "2022-01-12T05:21:30.519548146Z", "code": "403", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T15:31:22.426923800Z'/\u003e\u003cEventRecordID\u003e1687\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.932007000Z'/\u003e\u003cEventRecordID\u003e1706\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:28:53.626698200Z'/\u003e\u003cEventRecordID\u003e1766\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:28.686193900Z'/\u003e\u003cEventRecordID\u003e18592\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", diff --git a/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml index 117f7288a94..6d94b1bfe64 100644 --- a/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml @@ -24,7 +24,7 @@ processors: - set: field: ecs.version - value: '1.12.0' + value: '8.0.0' - set: field: log.level copy_from: winlog.level diff --git a/packages/windows/data_stream/powershell/sample_event.json b/packages/windows/data_stream/powershell/sample_event.json index b784ed32e42..f9cf2b3a7d2 100644 --- a/packages/windows/data_stream/powershell/sample_event.json +++ b/packages/windows/data_stream/powershell/sample_event.json @@ -1,12 +1,11 @@ { "@timestamp": "2020-05-13T13:21:43.183Z", "agent": { - "ephemeral_id": "0db86869-9076-44ed-acbc-32415bdaa793", - "hostname": "docker-fleet-agent", - "id": "8a695e28-aed6-4bbf-90be-5a9b7f99eab9", + "ephemeral_id": "db81e0aa-51b2-4036-9ece-f3c8979be9f8", + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.14.0" + "version": "8.0.0-beta1" }, "data_stream": { "dataset": "windows.powershell", @@ -14,20 +13,20 @@ "type": "logs" }, "ecs": { - "version": "1.10.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "24ec544f-3818-44a4-ac26-223be6af154a", - "snapshot": true, - "version": "7.14.0" + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "snapshot": false, + "version": "8.0.0-beta1" }, "event": { - "agent_id_status": "agent_id_mismatch", + "agent_id_status": "verified", "category": "process", "code": "600", - "created": "2021-06-14T13:43:24.815Z", + "created": "2022-01-12T05:24:01.636Z", "dataset": "windows.powershell", - "ingested": "2021-06-14T13:43:25.859030600Z", + "ingested": "2022-01-12T05:24:02Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json index ab35590698f..612147902d9 100644 --- a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json @@ -22,7 +22,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "verbose" @@ -37,7 +37,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:50:22.931472300Z", + "ingested": "2022-01-12T05:21:31.956824087Z", "code": "4105", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -102,7 +102,7 @@ ], "@timestamp": "2020-05-15T08:11:47.897Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -148,7 +148,7 @@ }, "event": { "sequence": 34, - "ingested": "2021-12-09T13:50:22.931480800Z", + "ingested": "2022-01-12T05:21:31.956826585Z", "code": "4103", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -184,7 +184,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "verbose" @@ -199,7 +199,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:50:22.931486800Z", + "ingested": "2022-01-12T05:21:31.956827079Z", "code": "4106", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -236,7 +236,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "verbose" @@ -253,7 +253,7 @@ "name": "vagrant" }, "event": { - "ingested": "2021-12-09T13:50:22.931492Z", + "ingested": "2022-01-12T05:21:31.956827494Z", "code": "4104", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.389266200Z'/\u003e\u003cEventRecordID\u003e3580\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0001-18e0-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e.\\patata.ps1\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003e50d2dbda-7361-4926-a94d-d9eadfdb43fa\u003c/Data\u003e\u003cData Name='Path'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.393884800Z'/\u003e\u003cEventRecordID\u003e3582\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0000-79db-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003ef5521cbd-656e-4296-b74d-9ffb4eec23b0\u003c/Data\u003e\u003cData Name='Path'\u003eC:\\Users\\vagrant\\Desktop\\patata.ps1\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", diff --git a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml index d508f0d7341..90e4f573fa1 100644 --- a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml @@ -26,7 +26,7 @@ processors: - set: field: ecs.version - value: '1.12.0' + value: '8.0.0' - set: field: log.level copy_from: winlog.level diff --git a/packages/windows/data_stream/powershell_operational/sample_event.json b/packages/windows/data_stream/powershell_operational/sample_event.json index c24acfd5103..96c881d9412 100644 --- a/packages/windows/data_stream/powershell_operational/sample_event.json +++ b/packages/windows/data_stream/powershell_operational/sample_event.json @@ -1,12 +1,11 @@ { "@timestamp": "2020-05-13T09:04:04.755Z", "agent": { - "ephemeral_id": "0db86869-9076-44ed-acbc-32415bdaa793", - "hostname": "docker-fleet-agent", - "id": "8a695e28-aed6-4bbf-90be-5a9b7f99eab9", + "ephemeral_id": "bbdc83ce-5df6-4729-b8e9-0185b6ab66f6", + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.14.0" + "version": "8.0.0-beta1" }, "data_stream": { "dataset": "windows.powershell_operational", @@ -14,20 +13,20 @@ "type": "logs" }, "ecs": { - "version": "1.10.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "24ec544f-3818-44a4-ac26-223be6af154a", - "snapshot": true, - "version": "7.14.0" + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "snapshot": false, + "version": "8.0.0-beta1" }, "event": { - "agent_id_status": "agent_id_mismatch", + "agent_id_status": "verified", "category": "process", "code": "4105", - "created": "2021-06-14T13:44:07.370Z", + "created": "2022-01-12T05:24:36.653Z", "dataset": "windows.powershell_operational", - "ingested": "2021-06-14T13:44:08.399097100Z", + "ingested": "2022-01-12T05:24:37Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json index 3ce2456a113..b5307b7d661 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json @@ -64,7 +64,7 @@ }, "@timestamp": "2019-07-18T03:34:01.239Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -77,7 +77,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456572100Z", + "ingested": "2022-01-12T05:21:33.201986672Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -160,7 +160,7 @@ }, "@timestamp": "2019-07-18T03:34:01.261Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -173,7 +173,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456580900Z", + "ingested": "2022-01-12T05:21:33.201993054Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -230,9 +230,6 @@ "is_executable": true } }, - "log": { - "level": "information" - }, "@timestamp": "2020-05-07T08:14:44.489Z", "file": { "name": "test.test.exe", @@ -241,7 +238,7 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -252,8 +249,11 @@ "d90d8c7812aec8da0fa173afa1293ab2" ] }, + "log": { + "level": "information" + }, "event": { - "ingested": "2021-12-09T13:50:23.456586700Z", + "ingested": "2022-01-12T05:21:33.201993802Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T08:14:44.489978500Z'/\u003e\u003cEventRecordID\u003e612\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 08:14:44.489\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-c36f-5eb3-2c07-290000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2184\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2\u003c/Data\u003e\u003cData Name='IsExecutable'\u003etrue\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -337,7 +337,7 @@ }, "@timestamp": "2019-07-18T03:34:01.449Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -349,7 +349,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456592500Z", + "ingested": "2022-01-12T05:21:33.201994275Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -437,7 +437,7 @@ }, "@timestamp": "2019-07-18T03:34:01.457Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -450,7 +450,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456598Z", + "ingested": "2022-01-12T05:21:33.201994741Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -512,13 +512,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.456603600Z", + "ingested": "2022-01-12T05:21:33.201995149Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:40.599567200Z'/\u003e\u003cEventRecordID\u003e2682\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:40.589\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1\u003c/Data\u003e\u003cData Name='Details'\u003eDWORD (0x00000004)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -571,9 +571,6 @@ "is_executable": false } }, - "log": { - "level": "information" - }, "@timestamp": "2020-05-07T07:27:18.722Z", "file": { "name": "lastalive0.dat", @@ -582,7 +579,7 @@ "directory": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -592,8 +589,11 @@ "115106f5b338c87ae6836d50dd890de3da296367" ] }, + "log": { + "level": "information" + }, "event": { - "ingested": "2021-12-09T13:50:23.456609200Z", + "ingested": "2022-01-12T05:21:33.201995521Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T07:27:18.722136100Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 07:27:18.722\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-b2b6-5eb3-18ab-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e776\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=115106F5B338C87AE6836D50DD890DE3DA296367\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -676,7 +676,7 @@ }, "@timestamp": "2019-07-18T03:34:01.494Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -689,7 +689,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456616900Z", + "ingested": "2022-01-12T05:21:33.201996010Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -778,7 +778,7 @@ }, "@timestamp": "2019-07-18T03:34:01.810Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -789,7 +789,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456622700Z", + "ingested": "2022-01-12T05:21:33.201996513Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -868,7 +868,7 @@ }, "@timestamp": "2019-07-18T03:34:01.894Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -880,7 +880,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456628300Z", + "ingested": "2022-01-12T05:21:33.201997048Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -968,7 +968,7 @@ }, "@timestamp": "2019-07-18T03:34:01.948Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -981,7 +981,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456633800Z", + "ingested": "2022-01-12T05:21:33.201997530Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1056,7 +1056,7 @@ }, "@timestamp": "2019-07-18T03:34:02.085Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1067,7 +1067,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456639800Z", + "ingested": "2022-01-12T05:21:33.201998121Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1158,7 +1158,7 @@ }, "@timestamp": "2019-07-18T03:34:02.174Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1173,7 +1173,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456645400Z", + "ingested": "2022-01-12T05:21:33.201998658Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1296,7 +1296,7 @@ }, "@timestamp": "2019-07-18T03:34:02.274Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1316,7 +1316,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456651Z", + "ingested": "2022-01-12T05:21:33.201999143Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1395,7 +1395,7 @@ }, "@timestamp": "2019-07-18T03:34:02.291Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1407,7 +1407,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456656600Z", + "ingested": "2022-01-12T05:21:33.201999511Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1490,7 +1490,7 @@ }, "@timestamp": "2019-07-18T03:34:02.413Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1503,7 +1503,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456662500Z", + "ingested": "2022-01-12T05:21:33.202000027Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1591,7 +1591,7 @@ }, "@timestamp": "2019-07-18T03:34:02.424Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1604,7 +1604,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456668500Z", + "ingested": "2022-01-12T05:21:33.202000589Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1679,7 +1679,7 @@ }, "@timestamp": "2019-07-18T03:34:02.427Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1690,7 +1690,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456674100Z", + "ingested": "2022-01-12T05:21:33.202001087Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1779,7 +1779,7 @@ }, "@timestamp": "2019-07-18T03:34:02.469Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1791,7 +1791,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456679700Z", + "ingested": "2022-01-12T05:21:33.202001587Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1847,13 +1847,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.456685200Z", + "ingested": "2022-01-12T05:21:33.202002055Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.723248500Z'/\u003e\u003cEventRecordID\u003e2686\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -1935,7 +1935,7 @@ }, "@timestamp": "2019-07-18T03:34:02.485Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -1948,7 +1948,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456691100Z", + "ingested": "2022-01-12T05:21:33.202002675Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2031,7 +2031,7 @@ }, "@timestamp": "2019-07-18T03:34:02.500Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2044,7 +2044,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456696700Z", + "ingested": "2022-01-12T05:21:33.202003104Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2106,13 +2106,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.456702400Z", + "ingested": "2022-01-12T05:21:33.202003524Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.726009900Z'/\u003e\u003cEventRecordID\u003e2687\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2\u003c/Data\u003e\u003cData Name='Details'\u003eQWORD (0x00000000-0x00000005)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2167,13 +2167,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.456708300Z", + "ingested": "2022-01-12T05:21:33.202004052Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818821400Z'/\u003e\u003cEventRecordID\u003e2690\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2282,7 +2282,7 @@ }, "@timestamp": "2019-07-18T03:34:02.580Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2293,7 +2293,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456714Z", + "ingested": "2022-01-12T05:21:33.202004931Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2382,7 +2382,7 @@ }, "@timestamp": "2019-07-18T03:34:02.628Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2393,7 +2393,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456718Z", + "ingested": "2022-01-12T05:21:33.202005405Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2528,7 +2528,7 @@ }, "@timestamp": "2019-07-18T03:34:02.633Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2544,7 +2544,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456722600Z", + "ingested": "2022-01-12T05:21:33.202005900Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2667,7 +2667,7 @@ }, "@timestamp": "2019-07-18T03:34:02.716Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2681,7 +2681,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456728Z", + "ingested": "2022-01-12T05:21:33.202006380Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2816,7 +2816,7 @@ }, "@timestamp": "2019-07-18T03:34:02.727Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2838,7 +2838,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456733200Z", + "ingested": "2022-01-12T05:21:33.202006970Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -2931,7 +2931,7 @@ }, "@timestamp": "2019-07-18T03:34:02.733Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -2944,7 +2944,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456737Z", + "ingested": "2022-01-12T05:21:33.202007504Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3081,7 +3081,7 @@ }, "@timestamp": "2019-07-18T03:34:02.792Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3103,7 +3103,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456741800Z", + "ingested": "2022-01-12T05:21:33.202008041Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3236,7 +3236,7 @@ }, "@timestamp": "2019-07-18T03:34:02.792Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3252,7 +3252,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456747500Z", + "ingested": "2022-01-12T05:21:33.202008550Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3331,7 +3331,7 @@ }, "@timestamp": "2019-07-18T03:34:02.809Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3343,7 +3343,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456751700Z", + "ingested": "2022-01-12T05:21:33.202009071Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3467,7 +3467,7 @@ }, "@timestamp": "2019-07-18T03:34:02.821Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3482,7 +3482,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456755900Z", + "ingested": "2022-01-12T05:21:33.202009564Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3565,7 +3565,7 @@ }, "@timestamp": "2019-07-18T03:34:02.821Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3578,7 +3578,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456760500Z", + "ingested": "2022-01-12T05:21:33.202010212Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3702,7 +3702,7 @@ }, "@timestamp": "2019-07-18T03:34:02.828Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3716,7 +3716,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456764900Z", + "ingested": "2022-01-12T05:21:33.202010733Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3795,7 +3795,7 @@ }, "@timestamp": "2019-07-18T03:34:02.838Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3807,7 +3807,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456770Z", + "ingested": "2022-01-12T05:21:33.202011286Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -3886,7 +3886,7 @@ }, "@timestamp": "2019-07-18T03:34:02.839Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -3898,7 +3898,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456775800Z", + "ingested": "2022-01-12T05:21:33.202011740Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4016,7 +4016,7 @@ }, "@timestamp": "2019-07-18T03:34:02.841Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4029,7 +4029,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456781500Z", + "ingested": "2022-01-12T05:21:33.202012186Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4136,7 +4136,7 @@ }, "@timestamp": "2019-07-18T03:34:02.844Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4153,7 +4153,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456787300Z", + "ingested": "2022-01-12T05:21:33.202012623Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4197,13 +4197,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.456793Z", + "ingested": "2022-01-12T05:21:33.202013012Z", "code": "16", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e16\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e16\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:37.933324000Z'/\u003e\u003cEventRecordID\u003e1\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4616' ThreadID='4724'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-3541430928-2051711210-1391384369-1001'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.933\u003c/Data\u003e\u003cData Name='Configuration'\u003eC:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n\u003c/Data\u003e\u003cData Name='ConfigurationFileHash'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4280,7 +4280,7 @@ }, "@timestamp": "2019-07-18T03:34:02.956Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4292,7 +4292,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456798900Z", + "ingested": "2022-01-12T05:21:33.202013470Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4406,7 +4406,7 @@ }, "@timestamp": "2019-07-18T03:34:03.005Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4418,7 +4418,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456804700Z", + "ingested": "2022-01-12T05:21:33.202014113Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4547,7 +4547,7 @@ }, "@timestamp": "2019-07-18T03:34:03.070Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4562,7 +4562,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456810600Z", + "ingested": "2022-01-12T05:21:33.202014615Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4692,7 +4692,7 @@ }, "@timestamp": "2019-07-18T03:34:03.093Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4714,7 +4714,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456816800Z", + "ingested": "2022-01-12T05:21:33.202015236Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4793,7 +4793,7 @@ }, "@timestamp": "2019-07-18T03:34:03.099Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4805,7 +4805,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456822500Z", + "ingested": "2022-01-12T05:21:33.202015776Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -4934,7 +4934,7 @@ }, "@timestamp": "2019-07-18T03:34:03.107Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -4956,7 +4956,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456828200Z", + "ingested": "2022-01-12T05:21:33.202016261Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5079,7 +5079,7 @@ }, "@timestamp": "2019-07-18T03:34:03.107Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -5100,7 +5100,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456834100Z", + "ingested": "2022-01-12T05:21:33.202016708Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5146,13 +5146,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.456839900Z", + "ingested": "2022-01-12T05:21:33.202017116Z", "code": "4", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e4\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e2\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.011\u003c/Data\u003e\u003cData Name='State'\u003eStarted\u003c/Data\u003e\u003cData Name='Version'\u003e9.01\u003c/Data\u003e\u003cData Name='SchemaVersion'\u003e4.20\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5229,7 +5229,7 @@ }, "@timestamp": "2019-07-18T03:34:03.112Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -5241,7 +5241,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456845700Z", + "ingested": "2022-01-12T05:21:33.202017594Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5316,7 +5316,7 @@ }, "@timestamp": "2019-07-18T03:34:03.113Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -5327,7 +5327,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456852Z", + "ingested": "2022-01-12T05:21:33.202018287Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5410,7 +5410,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -5424,7 +5424,7 @@ "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.456857700Z", + "ingested": "2022-01-12T05:21:33.202018863Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e3\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.949\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-0010c73e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4860\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e9.01\u003c/Data\u003e\u003cData Name='Description'\u003eSystem activity monitor\u003c/Data\u003e\u003cData Name='Product'\u003eSysinternals Sysmon\u003c/Data\u003e\u003cData Name='Company'\u003eSysinternals - www.sysinternals.com\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0010f14d0000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e488\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\services.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\services.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5523,7 +5523,7 @@ }, "@timestamp": "2019-07-18T03:34:03.146Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -5537,7 +5537,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456863700Z", + "ingested": "2022-01-12T05:21:33.202019741Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5656,7 +5656,7 @@ }, "@timestamp": "2019-07-18T03:34:03.146Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -5676,7 +5676,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456869600Z", + "ingested": "2022-01-12T05:21:33.202020596Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5731,6 +5731,7 @@ "executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe", "command_line": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding" }, + "@timestamp": "2019-03-18T16:57:37.964Z", "winlog": { "computer_name": "vagrant-2012-r2", "record_id": "4", @@ -5760,9 +5761,8 @@ "identifier": "S-1-5-18" } }, - "@timestamp": "2019-03-18T16:57:37.964Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -5779,7 +5779,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:50:23.456875800Z", + "ingested": "2022-01-12T05:21:33.202021417Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e4\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.964\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-00102c412a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5028\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\unsecapp.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eSink to receive asynchronous callbacks for WMI client application\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -5902,7 +5902,7 @@ }, "@timestamp": "2019-07-18T03:34:03.182Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -5923,7 +5923,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456882Z", + "ingested": "2022-01-12T05:21:33.202021926Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6010,7 +6010,7 @@ }, "@timestamp": "2019-07-18T03:34:03.183Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6024,7 +6024,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456887700Z", + "ingested": "2022-01-12T05:21:33.202022535Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6154,7 +6154,7 @@ }, "@timestamp": "2019-07-18T03:34:03.222Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6173,7 +6173,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456893400Z", + "ingested": "2022-01-12T05:21:33.202023067Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6261,7 +6261,7 @@ }, "@timestamp": "2019-07-18T03:34:03.271Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6274,7 +6274,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456899200Z", + "ingested": "2022-01-12T05:21:33.202023619Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6382,7 +6382,7 @@ }, "@timestamp": "2019-07-18T03:34:03.271Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6400,7 +6400,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456905300Z", + "ingested": "2022-01-12T05:21:33.202024026Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6483,7 +6483,7 @@ }, "@timestamp": "2019-07-18T03:34:03.290Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6496,7 +6496,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456911200Z", + "ingested": "2022-01-12T05:21:33.202024512Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6575,7 +6575,7 @@ }, "@timestamp": "2019-07-18T03:34:03.292Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6587,7 +6587,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456917100Z", + "ingested": "2022-01-12T05:21:33.202025042Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6653,7 +6653,7 @@ }, "@timestamp": "2019-07-18T03:34:03.315Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6661,7 +6661,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456922900Z", + "ingested": "2022-01-12T05:21:33.202025718Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802587100Z'/\u003e\u003cEventRecordID\u003e118\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6727,7 +6727,7 @@ }, "@timestamp": "2019-07-18T03:34:03.315Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6735,7 +6735,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456928900Z", + "ingested": "2022-01-12T05:21:33.202026409Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802678700Z'/\u003e\u003cEventRecordID\u003e119\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6782,13 +6782,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.456934800Z", + "ingested": "2022-01-12T05:21:33.202026804Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e5\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -6910,7 +6910,7 @@ }, "@timestamp": "2019-07-18T03:34:03.333Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -6931,7 +6931,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456942400Z", + "ingested": "2022-01-12T05:21:33.202027209Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7019,7 +7019,7 @@ }, "@timestamp": "2019-07-18T03:34:03.343Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -7032,7 +7032,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456948500Z", + "ingested": "2022-01-12T05:21:33.202027709Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7111,7 +7111,7 @@ }, "@timestamp": "2019-07-18T03:34:03.391Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -7123,7 +7123,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456954300Z", + "ingested": "2022-01-12T05:21:33.202028288Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7170,13 +7170,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.456960100Z", + "ingested": "2022-01-12T05:21:33.202028818Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e6\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010071e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4648\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\Downloads\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7298,7 +7298,7 @@ }, "@timestamp": "2019-07-18T03:34:03.393Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -7319,7 +7319,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456966100Z", + "ingested": "2022-01-12T05:21:33.202029364Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7405,7 +7405,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -7419,7 +7419,7 @@ "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.456972Z", + "ingested": "2022-01-12T05:21:33.202029877Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:39.012744700Z'/\u003e\u003cEventRecordID\u003e7\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:39.012\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce03-5c8f-0000-0010e9462a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4508\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eWMI Provider Host\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7484,7 +7484,7 @@ }, "@timestamp": "2019-03-18T16:57:47.847Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -7495,7 +7495,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456977900Z", + "ingested": "2022-01-12T05:21:33.202030305Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7563,7 +7563,7 @@ }, "@timestamp": "2019-03-18T16:57:48.070Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -7575,7 +7575,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456983600Z", + "ingested": "2022-01-12T05:21:33.202030811Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e9\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7643,7 +7643,7 @@ }, "@timestamp": "2019-03-18T16:57:48.148Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -7655,7 +7655,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456989400Z", + "ingested": "2022-01-12T05:21:33.202031246Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7723,7 +7723,7 @@ }, "@timestamp": "2019-03-18T16:57:48.214Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -7735,7 +7735,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.456995600Z", + "ingested": "2022-01-12T05:21:33.202031889Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7825,7 +7825,7 @@ }, "@timestamp": "2019-07-18T03:34:03.468Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -7838,7 +7838,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457001500Z", + "ingested": "2022-01-12T05:21:33.202032298Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -7962,7 +7962,7 @@ }, "@timestamp": "2019-07-18T03:34:03.581Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -7983,7 +7983,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457007200Z", + "ingested": "2022-01-12T05:21:33.202032790Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8048,7 +8048,7 @@ }, "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8060,7 +8060,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457013Z", + "ingested": "2022-01-12T05:21:33.202033277Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e12\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8141,7 +8141,7 @@ }, "@timestamp": "2019-07-18T03:34:03.872Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -8153,7 +8153,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457018700Z", + "ingested": "2022-01-12T05:21:33.202033982Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8225,7 +8225,7 @@ }, "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8237,7 +8237,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457024700Z", + "ingested": "2022-01-12T05:21:33.202034784Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e13\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8333,7 +8333,7 @@ }, "@timestamp": "2019-07-18T03:34:03.889Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -8345,7 +8345,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457030600Z", + "ingested": "2022-01-12T05:21:33.202035415Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8411,7 +8411,7 @@ }, "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8423,7 +8423,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457036400Z", + "ingested": "2022-01-12T05:21:33.202035846Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e14\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:e488:b85c:5262:ff86\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8490,7 +8490,7 @@ }, "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8501,7 +8501,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457042300Z", + "ingested": "2022-01-12T05:21:33.202036279Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8567,7 +8567,7 @@ }, "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8578,7 +8578,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457048100Z", + "ingested": "2022-01-12T05:21:33.202036885Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8644,7 +8644,7 @@ }, "@timestamp": "2019-03-18T16:57:48.251Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8655,7 +8655,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457054Z", + "ingested": "2022-01-12T05:21:33.202037358Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8722,7 +8722,7 @@ }, "@timestamp": "2019-03-18T16:57:48.251Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8734,7 +8734,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457059800Z", + "ingested": "2022-01-12T05:21:33.202037852Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e18\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:616f:32fa:b04f:b419\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8801,7 +8801,7 @@ }, "@timestamp": "2019-03-18T16:57:48.251Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8812,7 +8812,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457065600Z", + "ingested": "2022-01-12T05:21:33.202038381Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8879,7 +8879,7 @@ }, "@timestamp": "2019-03-18T16:57:48.264Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8894,7 +8894,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:50:23.457071500Z", + "ingested": "2022-01-12T05:21:33.202038998Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -8961,7 +8961,7 @@ }, "@timestamp": "2019-03-18T16:57:48.276Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -8976,7 +8976,7 @@ "name": "vagrant-2012-r2" }, "event": { - "ingested": "2021-12-09T13:50:23.457077300Z", + "ingested": "2022-01-12T05:21:33.202039453Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e21\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.276\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9043,7 +9043,7 @@ }, "@timestamp": "2019-03-18T16:57:49.213Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -9055,7 +9055,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457083100Z", + "ingested": "2022-01-12T05:21:33.202039956Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9151,7 +9151,7 @@ }, "@timestamp": "2019-07-18T03:34:03.890Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -9163,7 +9163,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457089Z", + "ingested": "2022-01-12T05:21:33.202040351Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9243,7 +9243,7 @@ }, "@timestamp": "2019-07-18T03:34:03.892Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -9254,7 +9254,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457094800Z", + "ingested": "2022-01-12T05:21:33.202040786Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9378,7 +9378,7 @@ }, "@timestamp": "2019-07-18T03:34:03.894Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -9399,7 +9399,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457101100Z", + "ingested": "2022-01-12T05:21:33.202041264Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9528,7 +9528,7 @@ }, "@timestamp": "2019-07-18T03:34:03.894Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -9548,7 +9548,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457106900Z", + "ingested": "2022-01-12T05:21:33.202041774Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9678,7 +9678,7 @@ }, "@timestamp": "2019-07-18T03:34:03.902Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -9699,7 +9699,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457112700Z", + "ingested": "2022-01-12T05:21:33.202042319Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9823,7 +9823,7 @@ }, "@timestamp": "2019-07-18T03:34:03.911Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -9844,7 +9844,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457118400Z", + "ingested": "2022-01-12T05:21:33.202042885Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -9932,7 +9932,7 @@ }, "@timestamp": "2019-07-18T03:34:03.911Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -9945,7 +9945,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457124400Z", + "ingested": "2022-01-12T05:21:33.202043489Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10039,7 +10039,7 @@ }, "@timestamp": "2019-07-18T03:34:03.921Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -10051,7 +10051,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457130400Z", + "ingested": "2022-01-12T05:21:33.202043890Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10130,7 +10130,7 @@ }, "@timestamp": "2019-07-18T03:34:04.101Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -10142,7 +10142,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457167Z", + "ingested": "2022-01-12T05:21:33.202044333Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10266,7 +10266,7 @@ }, "@timestamp": "2019-07-18T03:34:04.137Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -10284,7 +10284,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457174200Z", + "ingested": "2022-01-12T05:21:33.202044894Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10418,7 +10418,7 @@ }, "@timestamp": "2019-07-18T03:34:04.141Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -10437,7 +10437,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457180200Z", + "ingested": "2022-01-12T05:21:33.202045429Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10560,7 +10560,7 @@ }, "@timestamp": "2019-07-18T03:34:04.168Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -10574,7 +10574,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457186400Z", + "ingested": "2022-01-12T05:21:33.202045973Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10639,7 +10639,7 @@ }, "@timestamp": "2019-03-18T16:57:49.218Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -10651,7 +10651,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457192300Z", + "ingested": "2022-01-12T05:21:33.207077979Z", "code": "3", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10700,13 +10700,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.457198Z", + "ingested": "2022-01-12T05:21:33.207079722Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.354274600Z'/\u003e\u003cEventRecordID\u003e24\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.350\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccc6-5c8f-0000-001005082900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4832\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10751,13 +10751,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.457203800Z", + "ingested": "2022-01-12T05:21:33.207080365Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.364042800Z'/\u003e\u003cEventRecordID\u003e25\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.364\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cccc-5c8f-0000-0010e8272900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3208\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10812,13 +10812,13 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.457210Z", + "ingested": "2022-01-12T05:21:33.207081009Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.402119100Z'/\u003e\u003cEventRecordID\u003e26\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10873,13 +10873,13 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.457215900Z", + "ingested": "2022-01-12T05:21:33.207081507Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e27\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10934,13 +10934,13 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.457221600Z", + "ingested": "2022-01-12T05:21:33.207082071Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e28\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.028\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -10995,13 +10995,13 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.457227300Z", + "ingested": "2022-01-12T05:21:33.207082636Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e29\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:51:54.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11053,13 +11053,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.457233400Z", + "ingested": "2022-01-12T05:21:33.207083651Z", "code": "5", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e30\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccab-5c8f-0000-001064eb2700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2680\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11114,13 +11114,13 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.457239600Z", + "ingested": "2022-01-12T05:21:33.207084522Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e31\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:08.496\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11201,7 +11201,7 @@ }, "@timestamp": "2019-07-18T03:34:04.169Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -11214,7 +11214,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457245400Z", + "ingested": "2022-01-12T05:21:33.207085103Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11343,7 +11343,7 @@ }, "@timestamp": "2019-07-18T03:34:04.169Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -11362,7 +11362,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457251300Z", + "ingested": "2022-01-12T05:21:33.207085632Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11445,7 +11445,7 @@ }, "@timestamp": "2019-07-18T03:34:04.184Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -11458,7 +11458,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457257100Z", + "ingested": "2022-01-12T05:21:33.207086172Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11587,7 +11587,7 @@ }, "@timestamp": "2019-07-18T03:34:04.184Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -11602,7 +11602,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457263100Z", + "ingested": "2022-01-12T05:21:33.207086783Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11726,7 +11726,7 @@ }, "@timestamp": "2019-07-18T03:34:04.185Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -11747,7 +11747,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457268900Z", + "ingested": "2022-01-12T05:21:33.207087318Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11849,7 +11849,7 @@ }, "@timestamp": "2019-07-18T03:34:04.189Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -11863,7 +11863,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457274700Z", + "ingested": "2022-01-12T05:21:33.207087885Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -11993,7 +11993,7 @@ }, "@timestamp": "2019-07-18T03:34:04.237Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12015,7 +12015,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457280500Z", + "ingested": "2022-01-12T05:21:33.207088458Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12119,7 +12119,7 @@ }, "@timestamp": "2019-07-18T03:34:04.274Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12131,7 +12131,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457286100Z", + "ingested": "2022-01-12T05:21:33.207089209Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12206,7 +12206,7 @@ }, "@timestamp": "2019-07-18T03:34:04.302Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12217,7 +12217,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457291900Z", + "ingested": "2022-01-12T05:21:33.207089800Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12341,7 +12341,7 @@ }, "@timestamp": "2019-07-18T03:34:04.304Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12362,7 +12362,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457297700Z", + "ingested": "2022-01-12T05:21:33.207090327Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12456,7 +12456,7 @@ }, "@timestamp": "2019-07-18T03:34:04.322Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12468,7 +12468,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457305700Z", + "ingested": "2022-01-12T05:21:33.207090836Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12542,7 +12542,7 @@ }, "@timestamp": "2019-07-18T03:34:04.379Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12553,7 +12553,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457311700Z", + "ingested": "2022-01-12T05:21:33.207091326Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12677,7 +12677,7 @@ }, "@timestamp": "2019-07-18T03:34:04.482Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12698,7 +12698,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457317500Z", + "ingested": "2022-01-12T05:21:33.207091943Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12823,7 +12823,7 @@ }, "@timestamp": "2019-07-18T03:34:04.502Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12844,7 +12844,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457323200Z", + "ingested": "2022-01-12T05:21:33.207092505Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -12948,7 +12948,7 @@ }, "@timestamp": "2019-07-18T03:34:04.507Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -12960,7 +12960,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457329Z", + "ingested": "2022-01-12T05:21:33.207093042Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13084,7 +13084,7 @@ }, "@timestamp": "2019-07-18T03:34:04.508Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13098,7 +13098,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457334800Z", + "ingested": "2022-01-12T05:21:33.207093562Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13211,7 +13211,7 @@ }, "@timestamp": "2019-07-18T03:34:04.531Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13227,7 +13227,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457340500Z", + "ingested": "2022-01-12T05:21:33.207094590Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13340,7 +13340,7 @@ }, "@timestamp": "2019-07-18T03:34:04.532Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13358,7 +13358,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457346200Z", + "ingested": "2022-01-12T05:21:33.207095145Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13492,7 +13492,7 @@ }, "@timestamp": "2019-07-18T03:34:04.534Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13508,7 +13508,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457352Z", + "ingested": "2022-01-12T05:21:33.207095671Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13633,7 +13633,7 @@ }, "@timestamp": "2019-07-18T03:34:04.601Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13654,7 +13654,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457357900Z", + "ingested": "2022-01-12T05:21:33.207096143Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13772,7 +13772,7 @@ }, "@timestamp": "2019-07-18T03:34:04.604Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13792,7 +13792,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457363700Z", + "ingested": "2022-01-12T05:21:33.207096668Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -13916,7 +13916,7 @@ }, "@timestamp": "2019-07-18T03:34:04.621Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -13937,7 +13937,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457369600Z", + "ingested": "2022-01-12T05:21:33.207097268Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14061,7 +14061,7 @@ }, "@timestamp": "2019-07-18T03:34:04.822Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14082,7 +14082,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457375400Z", + "ingested": "2022-01-12T05:21:33.207097805Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14165,7 +14165,7 @@ }, "@timestamp": "2019-07-18T03:34:04.822Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14178,7 +14178,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457381100Z", + "ingested": "2022-01-12T05:21:33.207098332Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14307,7 +14307,7 @@ }, "@timestamp": "2019-07-18T03:34:04.860Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14321,7 +14321,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457387Z", + "ingested": "2022-01-12T05:21:33.207099079Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14404,7 +14404,7 @@ }, "@timestamp": "2019-07-18T03:34:04.904Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14417,7 +14417,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457392900Z", + "ingested": "2022-01-12T05:21:33.207099701Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14511,7 +14511,7 @@ }, "@timestamp": "2019-07-18T03:34:04.911Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14523,7 +14523,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457398700Z", + "ingested": "2022-01-12T05:21:33.207100436Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14607,7 +14607,7 @@ }, "@timestamp": "2019-07-18T03:34:06.056Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14619,7 +14619,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457404600Z", + "ingested": "2022-01-12T05:21:33.207100971Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14703,7 +14703,7 @@ }, "@timestamp": "2019-07-18T03:34:06.064Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14715,7 +14715,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457410300Z", + "ingested": "2022-01-12T05:21:33.207101541Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14798,7 +14798,7 @@ }, "@timestamp": "2019-07-18T03:34:06.178Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14811,7 +14811,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457416Z", + "ingested": "2022-01-12T05:21:33.207102078Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14895,7 +14895,7 @@ }, "@timestamp": "2019-07-18T03:34:06.455Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14907,7 +14907,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457421900Z", + "ingested": "2022-01-12T05:21:33.207102578Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -14986,7 +14986,7 @@ }, "@timestamp": "2019-07-18T03:34:06.494Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -14998,7 +14998,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457427800Z", + "ingested": "2022-01-12T05:21:33.207103111Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15086,7 +15086,7 @@ }, "@timestamp": "2019-07-18T03:34:06.567Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15099,7 +15099,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457433600Z", + "ingested": "2022-01-12T05:21:33.207103696Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15182,7 +15182,7 @@ }, "@timestamp": "2019-07-18T03:34:07.228Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15195,7 +15195,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457439600Z", + "ingested": "2022-01-12T05:21:33.207104227Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15289,7 +15289,7 @@ }, "@timestamp": "2019-07-18T03:34:07.357Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15303,7 +15303,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457445600Z", + "ingested": "2022-01-12T05:21:33.207104965Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15386,7 +15386,7 @@ }, "@timestamp": "2019-07-18T03:34:07.721Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15399,7 +15399,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457451400Z", + "ingested": "2022-01-12T05:21:33.207105538Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15482,7 +15482,7 @@ }, "@timestamp": "2019-07-18T03:34:07.774Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15495,7 +15495,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457457100Z", + "ingested": "2022-01-12T05:21:33.207106095Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15578,7 +15578,7 @@ }, "@timestamp": "2019-07-18T03:34:07.847Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15591,7 +15591,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457463Z", + "ingested": "2022-01-12T05:21:33.207106678Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15721,7 +15721,7 @@ }, "@timestamp": "2019-07-18T03:34:07.943Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15743,7 +15743,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457468800Z", + "ingested": "2022-01-12T05:21:33.207107211Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15837,7 +15837,7 @@ }, "@timestamp": "2019-07-18T03:34:07.945Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15850,7 +15850,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457474500Z", + "ingested": "2022-01-12T05:21:33.207107675Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -15942,7 +15942,7 @@ }, "@timestamp": "2019-07-18T03:34:07.954Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -15953,7 +15953,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457480600Z", + "ingested": "2022-01-12T05:21:33.207108382Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16078,7 +16078,7 @@ }, "@timestamp": "2019-07-18T03:34:07.955Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16099,7 +16099,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457486400Z", + "ingested": "2022-01-12T05:21:33.207108995Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16174,7 +16174,7 @@ }, "@timestamp": "2019-07-18T03:34:07.955Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16185,7 +16185,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457492500Z", + "ingested": "2022-01-12T05:21:33.207109496Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16268,7 +16268,7 @@ }, "@timestamp": "2019-07-18T03:34:07.956Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16281,7 +16281,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457498200Z", + "ingested": "2022-01-12T05:21:33.207110185Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16410,7 +16410,7 @@ }, "@timestamp": "2019-07-18T03:34:08.019Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16429,7 +16429,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457504Z", + "ingested": "2022-01-12T05:21:33.207110776Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16508,7 +16508,7 @@ }, "@timestamp": "2019-07-18T03:34:08.050Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16520,7 +16520,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457509900Z", + "ingested": "2022-01-12T05:21:33.207111359Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16603,7 +16603,7 @@ }, "@timestamp": "2019-07-18T03:34:08.070Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16616,7 +16616,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457515800Z", + "ingested": "2022-01-12T05:21:33.207111915Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16743,7 +16743,7 @@ }, "@timestamp": "2019-07-18T03:34:08.090Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16758,7 +16758,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457521700Z", + "ingested": "2022-01-12T05:21:33.207112428Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16891,7 +16891,7 @@ }, "@timestamp": "2019-07-18T03:34:08.308Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -16907,7 +16907,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457527500Z", + "ingested": "2022-01-12T05:21:33.207112930Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -16990,7 +16990,7 @@ }, "@timestamp": "2019-07-18T03:34:08.478Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -17003,7 +17003,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457533300Z", + "ingested": "2022-01-12T05:21:33.207113432Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17132,7 +17132,7 @@ }, "@timestamp": "2019-07-18T03:34:08.536Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -17147,7 +17147,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457539400Z", + "ingested": "2022-01-12T05:21:33.207114050Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17277,7 +17277,7 @@ }, "@timestamp": "2019-07-18T03:34:08.544Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -17299,7 +17299,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457545200Z", + "ingested": "2022-01-12T05:21:33.207114715Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17424,7 +17424,7 @@ }, "@timestamp": "2019-07-18T03:34:08.550Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -17444,7 +17444,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457551Z", + "ingested": "2022-01-12T05:21:33.207115232Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17564,7 +17564,7 @@ }, "@timestamp": "2019-07-18T03:34:08.552Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -17575,7 +17575,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457557300Z", + "ingested": "2022-01-12T05:21:33.207115965Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -17705,7 +17705,7 @@ }, "@timestamp": "2019-07-18T03:34:08.552Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -17726,7 +17726,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457563100Z", + "ingested": "2022-01-12T05:21:33.207116485Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18060,7 +18060,7 @@ }, "@timestamp": "2019-07-18T03:34:08.594Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18094,7 +18094,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457569Z", + "ingested": "2022-01-12T05:21:33.207117066Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18238,7 +18238,7 @@ }, "@timestamp": "2019-07-18T03:34:08.619Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18252,7 +18252,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457574800Z", + "ingested": "2022-01-12T05:21:33.207117916Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18338,7 +18338,7 @@ }, "@timestamp": "2019-07-18T03:34:08.620Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18350,7 +18350,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457580700Z", + "ingested": "2022-01-12T05:21:33.207118584Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18437,7 +18437,7 @@ }, "@timestamp": "2019-07-18T03:34:08.811Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18451,7 +18451,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457586600Z", + "ingested": "2022-01-12T05:21:33.207119190Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18517,7 +18517,7 @@ }, "@timestamp": "2019-07-18T03:34:08.912Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18525,7 +18525,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457592300Z", + "ingested": "2022-01-12T05:21:33.207119839Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067946300Z'/\u003e\u003cEventRecordID\u003e200\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.912\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18608,7 +18608,7 @@ }, "@timestamp": "2019-07-18T03:34:09.016Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18621,7 +18621,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457598100Z", + "ingested": "2022-01-12T05:21:33.207120484Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18751,7 +18751,7 @@ }, "@timestamp": "2019-07-18T03:34:09.048Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18769,7 +18769,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457603900Z", + "ingested": "2022-01-12T05:21:33.207120999Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -18899,7 +18899,7 @@ }, "@timestamp": "2019-07-18T03:34:09.051Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -18918,7 +18918,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457609600Z", + "ingested": "2022-01-12T05:21:33.207121553Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19001,7 +19001,7 @@ }, "@timestamp": "2019-07-18T03:34:09.054Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19014,7 +19014,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457615800Z", + "ingested": "2022-01-12T05:21:33.207122079Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19138,7 +19138,7 @@ }, "@timestamp": "2019-07-18T03:34:09.126Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19159,7 +19159,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457621500Z", + "ingested": "2022-01-12T05:21:33.207122669Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19290,7 +19290,7 @@ }, "@timestamp": "2019-07-18T03:34:09.184Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19311,7 +19311,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457629100Z", + "ingested": "2022-01-12T05:21:33.207123309Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19434,7 +19434,7 @@ }, "@timestamp": "2019-07-18T03:34:09.322Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19448,7 +19448,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457635200Z", + "ingested": "2022-01-12T05:21:33.207123846Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19560,7 +19560,7 @@ }, "@timestamp": "2019-07-18T03:34:09.730Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19579,7 +19579,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457640800Z", + "ingested": "2022-01-12T05:21:33.207124305Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19669,7 +19669,7 @@ }, "@timestamp": "2019-07-18T03:34:10.627Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19682,7 +19682,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457646800Z", + "ingested": "2022-01-12T05:21:33.207124904Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19772,7 +19772,7 @@ }, "@timestamp": "2019-07-18T03:34:10.650Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19785,7 +19785,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457652700Z", + "ingested": "2022-01-12T05:21:33.207125734Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -19909,7 +19909,7 @@ }, "@timestamp": "2019-07-18T03:34:16.329Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -19930,7 +19930,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457658600Z", + "ingested": "2022-01-12T05:21:33.207126268Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20025,7 +20025,7 @@ }, "@timestamp": "2019-07-18T03:34:16.386Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20041,7 +20041,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457664600Z", + "ingested": "2022-01-12T05:21:33.207126816Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.168.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20171,7 +20171,7 @@ }, "@timestamp": "2019-07-18T03:34:16.482Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20190,7 +20190,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457670400Z", + "ingested": "2022-01-12T05:21:33.207127375Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20269,7 +20269,7 @@ }, "@timestamp": "2019-07-18T03:34:19.578Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20281,7 +20281,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457676Z", + "ingested": "2022-01-12T05:21:33.207127918Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20364,7 +20364,7 @@ }, "@timestamp": "2019-07-18T03:34:31.219Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20377,7 +20377,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457681700Z", + "ingested": "2022-01-12T05:21:33.207128455Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20456,7 +20456,7 @@ }, "@timestamp": "2019-07-18T03:39:02.752Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20468,7 +20468,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457687400Z", + "ingested": "2022-01-12T05:21:33.207128926Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20534,7 +20534,7 @@ }, "@timestamp": "2019-07-18T03:39:20.413Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20542,7 +20542,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457693200Z", + "ingested": "2022-01-12T05:21:33.207129504Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:22.432153100Z'/\u003e\u003cEventRecordID\u003e221\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:20.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003eisatap.local.crowbird.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20605,7 +20605,7 @@ }, "@timestamp": "2019-07-18T03:39:40.504Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20613,7 +20613,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457699Z", + "ingested": "2022-01-12T05:21:33.207130060Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:42.554539300Z'/\u003e\u003cEventRecordID\u003e230\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:40.504\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e9f7-5d2f-0000-001031039c00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e676\u003c/Data\u003e\u003cData Name='QueryName'\u003epuppet\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20676,7 +20676,7 @@ }, "@timestamp": "2019-07-18T03:40:40.433Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20684,7 +20684,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457704800Z", + "ingested": "2022-01-12T05:21:33.207130553Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:40:42.447293700Z'/\u003e\u003cEventRecordID\u003e231\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:40:40.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-001016f70000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e636\u003c/Data\u003e\u003cData Name='QueryName'\u003ewpad\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20771,7 +20771,7 @@ }, "@timestamp": "2019-07-18T03:42:54.033Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20785,7 +20785,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457710500Z", + "ingested": "2022-01-12T05:21:33.207131114Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20864,7 +20864,7 @@ }, "@timestamp": "2019-07-18T03:43:04.400Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -20876,7 +20876,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457716100Z", + "ingested": "2022-01-12T05:21:33.207131645Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -20960,7 +20960,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -20974,7 +20974,7 @@ "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.457721900Z", + "ingested": "2022-01-12T05:21:33.207132170Z", "code": "1", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-27T20:00:14.324234100Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='7144' ThreadID='6876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-27 20:00:14.320\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-7c4e-5f98-5803-000000000500}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\notepad.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.475 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eNotepad\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eNOTEPAD.EXE\u003c/Data\u003e\u003cData Name='CommandLine'\u003e\"C:\\Windows\\system32\\notepad.exe\" \u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Users\\vagrant\\\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{9f32b55f-6fdd-5f98-e7c9-020000000000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x2c9e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e1\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eMedium\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=B6D237154F2E528F0B503B58B025862D66B02B73\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{9f32b55f-6fdf-5f98-7000-000000000500}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e4212\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21021,7 +21021,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" @@ -21030,7 +21030,7 @@ "name": "DESKTOP-I9CQVAQ" }, "event": { - "ingested": "2021-12-09T13:50:23.457727800Z", + "ingested": "2022-01-12T05:21:33.207132876Z", "code": "25", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e25\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e25\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T14:43:23.551269400Z'/\u003e\u003cEventRecordID\u003e10737797\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='5080'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 14:43:23.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-b78b-6037-6f13-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2628\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe\u003c/Data\u003e\u003cData Name='Type'\u003eImage is replaced\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21083,9 +21083,6 @@ "is_executable": false } }, - "log": { - "level": "information" - }, "@timestamp": "2020-05-12T06:48:27.084Z", "file": { "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d", @@ -21093,7 +21090,7 @@ "directory": "C:\\Windows\\System32\\LogFiles\\Scm" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -21103,8 +21100,11 @@ "5a9bddf83be530b481f0fd24db28a6ff" ] }, + "log": { + "level": "information" + }, "event": { - "ingested": "2021-12-09T13:50:23.457733500Z", + "ingested": "2022-01-12T05:21:33.207133423Z", "code": "23", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-12T06:48:27.084044200Z'/\u003e\u003cEventRecordID\u003e2243\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1188' ThreadID='1600'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-12 06:48:27.084\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-4664-5eba-91ae-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e820\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21130,6 +21130,7 @@ "entity_id": "{9f32b55f-d9de-5f98-f006-000000000600}", "executable": "C:\\Windows\\System32\\dllhost.exe" }, + "@timestamp": "2020-10-28T02:39:26.374Z", "winlog": { "computer_name": "vagrant", "record_id": "10685", @@ -21158,7 +21159,6 @@ "identifier": "S-1-5-18" } }, - "@timestamp": "2020-10-28T02:39:26.374Z", "file": { "path": "C:\\Windows\\System32\\IDStore.dll", "extension": "dll", @@ -21184,7 +21184,7 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hash": [ @@ -21198,7 +21198,7 @@ "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.457739300Z", + "ingested": "2022-01-12T05:21:33.207133895Z", "code": "7", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e7\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e7\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-28T02:39:26.388325200Z'/\u003e\u003cEventRecordID\u003e10685\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1676' ThreadID='4796'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-28 02:39:26.374\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-d9de-5f98-f006-000000000600}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5184\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\dllhost.exe\u003c/Data\u003e\u003cData Name='ImageLoaded'\u003eC:\\Windows\\System32\\IDStore.dll\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.1 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eIdentity Store\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eIdStore.dll\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=9955A1C071C44A7CEECC0D928A9CFB7F64CC3F93,MD5=C7C45610F644906E6F7D664EF2E45B08,SHA256=4808F1101F4E42387D8DDB7A355668BAE3BF6F781C42D3BCD82E23446B1DEB3E,IMPHASH=194F3797B52231028C718B6D776C6853\u003c/Data\u003e\u003cData Name='Signed'\u003etrue\u003c/Data\u003e\u003cData Name='Signature'\u003eMicrosoft Windows\u003c/Data\u003e\u003cData Name='SignatureStatus'\u003eValid\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21252,13 +21252,13 @@ } }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.457745100Z", + "ingested": "2022-01-12T05:21:33.207134456Z", "code": "13", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818869100Z'/\u003e\u003cEventRecordID\u003e2691\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21314,23 +21314,23 @@ "archived": true } }, - "log": { - "level": "information" - }, "@timestamp": "2021-02-25T15:04:48.592Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hash": [ "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" ] }, + "log": { + "level": "information" + }, "host": { "name": "DESKTOP-I9CQVAQ" }, "event": { - "ingested": "2021-12-09T13:50:23.457751Z", + "ingested": "2022-01-12T05:21:33.207135151Z", "code": "24", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e24\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e24\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T15:04:48.607343500Z'/\u003e\u003cEventRecordID\u003e10757412\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='6444'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 15:04:48.592\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-aa1b-602f-a600-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2144\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\u003c/Data\u003e\u003cData Name='Session'\u003e1\u003c/Data\u003e\u003cData Name='ClientInfo'\u003euser: DESKTOP-I9CQVAQ\\luks\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=7ADB1CF1A75973079C055F929573AE92557A8C0E5B0E38A6A5427E412FB73D59,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21382,13 +21382,13 @@ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "log": { "level": "information" }, "event": { - "ingested": "2021-12-09T13:50:23.457756700Z", + "ingested": "2022-01-12T05:21:33.207135620Z", "code": "2", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e32\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.339\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -21499,7 +21499,7 @@ }, "@timestamp": "2019-07-18T03:49:51.154Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -21518,7 +21518,7 @@ ] }, "event": { - "ingested": "2021-12-09T13:50:23.457762300Z", + "ingested": "2022-01-12T05:21:33.207136142Z", "code": "22", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", diff --git a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml index db28eb13cf7..5e337c79e6f 100644 --- a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml @@ -5,7 +5,7 @@ processors: - set: field: ecs.version - value: '1.12.0' + value: '8.0.0' - rename: field: winlog.level target_field: log.level diff --git a/packages/windows/data_stream/sysmon_operational/sample_event.json b/packages/windows/data_stream/sysmon_operational/sample_event.json index 997d734403c..d4735279da0 100644 --- a/packages/windows/data_stream/sysmon_operational/sample_event.json +++ b/packages/windows/data_stream/sysmon_operational/sample_event.json @@ -1,12 +1,11 @@ { "@timestamp": "2019-07-18T03:34:01.261Z", "agent": { - "ephemeral_id": "0db86869-9076-44ed-acbc-32415bdaa793", - "hostname": "docker-fleet-agent", - "id": "8a695e28-aed6-4bbf-90be-5a9b7f99eab9", + "ephemeral_id": "864e1771-93da-4224-b75b-92560b085f41", + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.14.0" + "version": "8.0.0-beta1" }, "data_stream": { "dataset": "windows.sysmon_operational", @@ -39,22 +38,22 @@ ] }, "ecs": { - "version": "1.10.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "24ec544f-3818-44a4-ac26-223be6af154a", - "snapshot": true, - "version": "7.14.0" + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "snapshot": false, + "version": "8.0.0-beta1" }, "event": { - "agent_id_status": "agent_id_mismatch", + "agent_id_status": "verified", "category": [ "network" ], "code": "22", "created": "2019-07-18T03:34:02.025Z", "dataset": "windows.sysmon_operational", - "ingested": "2021-06-14T13:44:51.825787300Z", + "ingested": "2022-01-12T05:25:16Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md index 52ccfb04d33..67f70075b2a 100644 --- a/packages/windows/docs/README.md +++ b/packages/windows/docs/README.md @@ -149,12 +149,11 @@ An example event for `powershell` looks as following: { "@timestamp": "2020-05-13T13:21:43.183Z", "agent": { - "ephemeral_id": "0db86869-9076-44ed-acbc-32415bdaa793", - "hostname": "docker-fleet-agent", - "id": "8a695e28-aed6-4bbf-90be-5a9b7f99eab9", + "ephemeral_id": "db81e0aa-51b2-4036-9ece-f3c8979be9f8", + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.14.0" + "version": "8.0.0-beta1" }, "data_stream": { "dataset": "windows.powershell", @@ -162,20 +161,20 @@ An example event for `powershell` looks as following: "type": "logs" }, "ecs": { - "version": "1.10.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "24ec544f-3818-44a4-ac26-223be6af154a", - "snapshot": true, - "version": "7.14.0" + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "snapshot": false, + "version": "8.0.0-beta1" }, "event": { - "agent_id_status": "agent_id_mismatch", + "agent_id_status": "verified", "category": "process", "code": "600", - "created": "2021-06-14T13:43:24.815Z", + "created": "2022-01-12T05:24:01.636Z", "dataset": "windows.powershell", - "ingested": "2021-06-14T13:43:25.859030600Z", + "ingested": "2022-01-12T05:24:02Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "PowerShell", @@ -483,12 +482,11 @@ An example event for `powershell_operational` looks as following: { "@timestamp": "2020-05-13T09:04:04.755Z", "agent": { - "ephemeral_id": "0db86869-9076-44ed-acbc-32415bdaa793", - "hostname": "docker-fleet-agent", - "id": "8a695e28-aed6-4bbf-90be-5a9b7f99eab9", + "ephemeral_id": "bbdc83ce-5df6-4729-b8e9-0185b6ab66f6", + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.14.0" + "version": "8.0.0-beta1" }, "data_stream": { "dataset": "windows.powershell_operational", @@ -496,20 +494,20 @@ An example event for `powershell_operational` looks as following: "type": "logs" }, "ecs": { - "version": "1.10.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "24ec544f-3818-44a4-ac26-223be6af154a", - "snapshot": true, - "version": "7.14.0" + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "snapshot": false, + "version": "8.0.0-beta1" }, "event": { - "agent_id_status": "agent_id_mismatch", + "agent_id_status": "verified", "category": "process", "code": "4105", - "created": "2021-06-14T13:44:07.370Z", + "created": "2022-01-12T05:24:36.653Z", "dataset": "windows.powershell_operational", - "ingested": "2021-06-14T13:44:08.399097100Z", + "ingested": "2022-01-12T05:24:37Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", @@ -810,12 +808,11 @@ An example event for `sysmon_operational` looks as following: { "@timestamp": "2019-07-18T03:34:01.261Z", "agent": { - "ephemeral_id": "0db86869-9076-44ed-acbc-32415bdaa793", - "hostname": "docker-fleet-agent", - "id": "8a695e28-aed6-4bbf-90be-5a9b7f99eab9", + "ephemeral_id": "864e1771-93da-4224-b75b-92560b085f41", + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.14.0" + "version": "8.0.0-beta1" }, "data_stream": { "dataset": "windows.sysmon_operational", @@ -848,22 +845,22 @@ An example event for `sysmon_operational` looks as following: ] }, "ecs": { - "version": "1.10.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "24ec544f-3818-44a4-ac26-223be6af154a", - "snapshot": true, - "version": "7.14.0" + "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "snapshot": false, + "version": "8.0.0-beta1" }, "event": { - "agent_id_status": "agent_id_mismatch", + "agent_id_status": "verified", "category": [ "network" ], "code": "22", "created": "2019-07-18T03:34:02.025Z", "dataset": "windows.sysmon_operational", - "ingested": "2021-06-14T13:44:51.825787300Z", + "ingested": "2022-01-12T05:25:16Z", "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", @@ -959,7 +956,7 @@ An example event for `sysmon_operational` looks as following: | dataset.name | Dataset name. | constant_keyword | | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | -| destination.domain | Destination domain. | keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.port | Port of the destination. | long | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | @@ -1039,9 +1036,9 @@ An example event for `sysmon_operational` looks as following: | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | | process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | @@ -1082,7 +1079,7 @@ An example event for `sysmon_operational` looks as following: | rule.name | The name of the rule or signature generating the event. | keyword | | service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| source.domain | Source domain. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.port | Port of the source. | long | | sysmon.dns.status | Windows status code returned for the DNS query. | keyword | diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml index c6ac19b98d0..131693a117d 100644 --- a/packages/windows/manifest.yml +++ b/packages/windows/manifest.yml @@ -1,6 +1,6 @@ name: windows title: Windows -version: 1.6.0 +version: 1.7.0 description: Collect logs and metrics from Windows OS and services with Elastic Agent. type: integration categories: