diff --git a/packages/windows/_dev/build/docs/README.md b/packages/windows/_dev/build/docs/README.md
index 8d4859a9d81..98083826d70 100644
--- a/packages/windows/_dev/build/docs/README.md
+++ b/packages/windows/_dev/build/docs/README.md
@@ -46,6 +46,8 @@ channel specific datasets.
The Windows `powershell` dataset provides events from the Windows
`Windows PowerShell` event log.
+{{event "powershell"}}
+
{{fields "powershell"}}
### Powershell/Operational
@@ -53,6 +55,8 @@ The Windows `powershell` dataset provides events from the Windows
The Windows `powershell_operational` dataset provides events from the Windows
`Microsoft-Windows-PowerShell/Operational` event log.
+{{event "powershell_operational"}}
+
{{fields "powershell_operational"}}
### Sysmon/Operational
@@ -60,4 +64,6 @@ The Windows `powershell_operational` dataset provides events from the Windows
The Windows `sysmon_operational` dataset provides events from the Windows
`Microsoft-Windows-Sysmon/Operational` event log.
+{{event "sysmon_operational"}}
+
{{fields "sysmon_operational"}}
\ No newline at end of file
diff --git a/packages/windows/_dev/deploy/docker/docker-compose.yml b/packages/windows/_dev/deploy/docker/docker-compose.yml
new file mode 100644
index 00000000000..df09dbfb8c1
--- /dev/null
+++ b/packages/windows/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,12 @@
+version: '2.3'
+services:
+ splunk-mock:
+ image: docker.elastic.co/observability/stream:v0.5.0
+ ports:
+ - 8080
+ volumes:
+ - ./files:/files:ro
+ command:
+ - http-server
+ - --addr=:8080
+ - --config=/files/config.yml
diff --git a/packages/windows/_dev/deploy/docker/files/config.yml b/packages/windows/_dev/deploy/docker/files/config.yml
new file mode 100644
index 00000000000..aa311b5ba94
--- /dev/null
+++ b/packages/windows/_dev/deploy/docker/files/config.yml
@@ -0,0 +1,177 @@
+rules:
+ - path: /services/search/jobs/export
+ user: test
+ password: test
+ methods:
+ - POST
+ query_params:
+ index_earliest: "{index_earliest:[0-9]+}"
+ index_latest: "{index_latest:[0-9]+}"
+ output_mode: json
+ search: 'search sourcetype="XmlWinEventLog:ForwardedEvents" | streamstats max(_indextime) AS max_indextime'
+ request_headers:
+ Content-Type:
+ - "application/x-www-form-urlencoded"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - "application/json"
+ body: |-
+ {
+ "preview": false,
+ "offset": 194,
+ "lastrow": true,
+ "result": {
+ "_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38",
+ "_cd": "0:315",
+ "_indextime": "1622471463",
+ "_raw": "410515102150x0790Microsoft-Windows-PowerShell/Operationalvagrantf4a378ab-b74f-41a7-a5ef-6dd55562fdb99c031e5c-8d5a-4b91-a12e-b3624970b623",
+ "_serial": "194",
+ "_si": [
+ "69819b6ce1bd",
+ "main"
+ ],
+ "_sourcetype": "XmlWinEventLog:Security",
+ "_time": "2021-05-25 13:11:45.000 UTC",
+ "host": "VAGRANT",
+ "index": "main",
+ "linecount": "1",
+ "max_indextime": "1622471606",
+ "source": "WinEventLog:Security",
+ "sourcetype": "XmlWinEventLog:Security",
+ "splunk_server": "69819b6ce1bd"
+ }
+ }
+ - path: /services/search/jobs/export
+ user: test
+ password: test
+ methods:
+ - post
+ query_params:
+ index_earliest: "{index_earliest:[0-9]+}"
+ index_latest: "{index_latest:[0-9]+}"
+ output_mode: json
+ search: 'search sourcetype="XmlWinEventLog:Windows PowerShell" | streamstats max(_indextime) AS max_indextime'
+ request_headers:
+ Content-Type:
+ - "application/x-www-form-urlencoded"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - "application/json"
+ body: |-
+ {
+ "preview": false,
+ "offset": 194,
+ "lastrow": true,
+ "result": {
+ "_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38",
+ "_cd": "0:315",
+ "_indextime": "1622471463",
+ "_raw": "600460x800000000000001089Windows PowerShellvagrantCertificateStarted\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\n600460x800000000000001266Windows PowerShellvagrantRegistryStarted\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\n600460x8000000000000018640Windows PowerShellvagrantCertificateStarted\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
+ "_serial": "194",
+ "_si": [
+ "69819b6ce1bd",
+ "main"
+ ],
+ "_sourcetype": "XmlWinEventLog:Security",
+ "_time": "2021-05-25 13:11:45.000 UTC",
+ "host": "VAGRANT",
+ "index": "main",
+ "linecount": "1",
+ "max_indextime": "1622471606",
+ "source": "WinEventLog:Security",
+ "sourcetype": "XmlWinEventLog:Security",
+ "splunk_server": "69819b6ce1bd"
+ }
+ }
+ - path: /services/search/jobs/export
+ user: test
+ password: test
+ methods:
+ - post
+ query_params:
+ index_earliest: "{index_earliest:[0-9]+}"
+ index_latest: "{index_latest:[0-9]+}"
+ output_mode: json
+ search: 'search sourcetype="XmlWinEventLog:Microsoft-Windows-Powershell/Operational" | streamstats max(_indextime) AS max_indextime'
+ request_headers:
+ Content-Type:
+ - "application/x-www-form-urlencoded"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - "application/json"
+ body: |-
+ {
+ "preview": false,
+ "offset": 194,
+ "lastrow": true,
+ "result": {
+ "_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38",
+ "_cd": "0:315",
+ "_indextime": "1622471463",
+ "_raw": "410515102150x0790Microsoft-Windows-PowerShell/Operationalvagrantf4a378ab-b74f-41a7-a5ef-6dd55562fdb99c031e5c-8d5a-4b91-a12e-b3624970b623",
+ "_serial": "194",
+ "_si": [
+ "69819b6ce1bd",
+ "main"
+ ],
+ "_sourcetype": "XmlWinEventLog:Security",
+ "_time": "2021-05-25 13:11:45.000 UTC",
+ "host": "VAGRANT",
+ "index": "main",
+ "linecount": "1",
+ "max_indextime": "1622471606",
+ "source": "WinEventLog:Security",
+ "sourcetype": "XmlWinEventLog:Security",
+ "splunk_server": "69819b6ce1bd"
+ }
+ }
+ - path: /services/search/jobs/export
+ user: test
+ password: test
+ methods:
+ - post
+ query_params:
+ index_earliest: "{index_earliest:[0-9]+}"
+ index_latest: "{index_latest:[0-9]+}"
+ output_mode: json
+ search: 'search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" | streamstats max(_indextime) AS max_indextime'
+ request_headers:
+ Content-Type:
+ - "application/x-www-form-urlencoded"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - "application/json"
+ body: |-
+ {
+ "preview": false,
+ "offset": 194,
+ "lastrow": true,
+ "result": {
+ "_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38",
+ "_cd": "0:315",
+ "_indextime": "1622471463",
+ "_raw": "22542200x800000000000000067Microsoft-Windows-Sysmon/Operationalvagrant-20162019-07-18 03:34:01.261{fa4a0de6-e8a9-5d2f-0000-001053699900}2736www.msn.com0type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
+ "_serial": "194",
+ "_si": [
+ "69819b6ce1bd",
+ "main"
+ ],
+ "_sourcetype": "XmlWinEventLog:Security",
+ "_time": "2021-05-25 13:11:45.000 UTC",
+ "host": "VAGRANT",
+ "index": "main",
+ "linecount": "1",
+ "max_indextime": "1622471606",
+ "source": "WinEventLog:Security",
+ "sourcetype": "XmlWinEventLog:Security",
+ "splunk_server": "69819b6ce1bd"
+ }
+ }
diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml
index 355c68ee2ac..91eb4218635 100644
--- a/packages/windows/changelog.yml
+++ b/packages/windows/changelog.yml
@@ -1,4 +1,12 @@
# newer versions go on top
+- version: "0.8.2"
+ changes:
+ - description: Add system tests for Splunk http inputs and improve README.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1044
+ - description: Fix sysmon pipeline when processing `dns.resolved_ip`.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1044
- version: "0.8.1"
changes:
- description: Fix security pipeline to support string event.code.
diff --git a/packages/windows/data_stream/forwarded/_dev/test/system/test-default-config.yml b/packages/windows/data_stream/forwarded/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..dfa8f5c9201
--- /dev/null
+++ b/packages/windows/data_stream/forwarded/_dev/test/system/test-default-config.yml
@@ -0,0 +1,9 @@
+input: httpjson
+service: splunk-mock
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ username: test
+ password: test
+data_stream:
+ vars:
+ preserve_original_event: true
diff --git a/packages/windows/data_stream/forwarded/fields/beats.yml b/packages/windows/data_stream/forwarded/fields/beats.yml
new file mode 100644
index 00000000000..3c48f1f224f
--- /dev/null
+++ b/packages/windows/data_stream/forwarded/fields/beats.yml
@@ -0,0 +1,3 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
diff --git a/packages/windows/data_stream/forwarded/sample_event.json b/packages/windows/data_stream/forwarded/sample_event.json
new file mode 100644
index 00000000000..9bea306f37d
--- /dev/null
+++ b/packages/windows/data_stream/forwarded/sample_event.json
@@ -0,0 +1,75 @@
+{
+ "@timestamp": "2020-05-13T09:04:04.755Z",
+ "agent": {
+ "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b",
+ "hostname": "docker-fleet-agent",
+ "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.13.0"
+ },
+ "data_stream": {
+ "dataset": "windows.forwarded",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "1.9.0"
+ },
+ "elastic_agent": {
+ "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322",
+ "snapshot": true,
+ "version": "7.13.0"
+ },
+ "event": {
+ "category": "process",
+ "code": "4105",
+ "created": "2021-06-01T10:22:56.365Z",
+ "dataset": "windows.forwarded",
+ "ingested": "2021-06-01T10:22:57.387144900Z",
+ "kind": "event",
+ "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
+ "provider": "Microsoft-Windows-PowerShell",
+ "type": "start"
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "log": {
+ "level": "verbose"
+ },
+ "powershell": {
+ "file": {
+ "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9"
+ },
+ "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623"
+ },
+ "tags": [
+ "forwarded"
+ ],
+ "user": {
+ "id": "S-1-5-21-1350058589-2282154016-2764056528-1000"
+ },
+ "winlog": {
+ "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}",
+ "channel": "Microsoft-Windows-PowerShell/Operational",
+ "computer_name": "vagrant",
+ "event_id": "4105",
+ "process": {
+ "pid": 4204,
+ "thread": {
+ "id": 1476
+ }
+ },
+ "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+ "provider_name": "Microsoft-Windows-PowerShell",
+ "record_id": "790",
+ "user": {
+ "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000"
+ },
+ "version": 1
+ }
+}
\ No newline at end of file
diff --git a/packages/windows/data_stream/powershell/_dev/test/system/test-default-config.yml b/packages/windows/data_stream/powershell/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..dfa8f5c9201
--- /dev/null
+++ b/packages/windows/data_stream/powershell/_dev/test/system/test-default-config.yml
@@ -0,0 +1,9 @@
+input: httpjson
+service: splunk-mock
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ username: test
+ password: test
+data_stream:
+ vars:
+ preserve_original_event: true
diff --git a/packages/windows/data_stream/powershell/fields/beats.yml b/packages/windows/data_stream/powershell/fields/beats.yml
new file mode 100644
index 00000000000..3c48f1f224f
--- /dev/null
+++ b/packages/windows/data_stream/powershell/fields/beats.yml
@@ -0,0 +1,3 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
diff --git a/packages/windows/data_stream/powershell/sample_event.json b/packages/windows/data_stream/powershell/sample_event.json
new file mode 100644
index 00000000000..df66403094e
--- /dev/null
+++ b/packages/windows/data_stream/powershell/sample_event.json
@@ -0,0 +1,82 @@
+{
+ "@timestamp": "2020-05-13T13:21:43.183Z",
+ "agent": {
+ "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b",
+ "hostname": "docker-fleet-agent",
+ "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.13.0"
+ },
+ "data_stream": {
+ "dataset": "windows.powershell",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "1.9.0"
+ },
+ "elastic_agent": {
+ "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322",
+ "snapshot": true,
+ "version": "7.13.0"
+ },
+ "event": {
+ "category": "process",
+ "code": "600",
+ "created": "2021-06-01T10:23:48.533Z",
+ "dataset": "windows.powershell",
+ "ingested": "2021-06-01T10:23:49.554043100Z",
+ "kind": "event",
+ "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
+ "provider": "PowerShell",
+ "sequence": 35,
+ "type": "info"
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "log": {
+ "level": "information"
+ },
+ "powershell": {
+ "engine": {
+ "version": "5.1.17763.1007"
+ },
+ "pipeline_id": "15",
+ "process": {
+ "executable_version": "5.1.17763.1007"
+ },
+ "provider": {
+ "name": "Certificate",
+ "new_state": "Started"
+ },
+ "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9"
+ },
+ "process": {
+ "args": [
+ "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
+ "C:\\Users\\vagrant\\Desktop\\lateral.ps1"
+ ],
+ "args_count": 2,
+ "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1",
+ "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206",
+ "title": "Windows PowerShell ISE Host"
+ },
+ "tags": [
+ "forwarded"
+ ],
+ "winlog": {
+ "channel": "Windows PowerShell",
+ "computer_name": "vagrant",
+ "event_id": "600",
+ "keywords": [
+ "Classic"
+ ],
+ "provider_name": "PowerShell",
+ "record_id": "1089"
+ }
+}
\ No newline at end of file
diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/system/test-default-config.yml b/packages/windows/data_stream/powershell_operational/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..dfa8f5c9201
--- /dev/null
+++ b/packages/windows/data_stream/powershell_operational/_dev/test/system/test-default-config.yml
@@ -0,0 +1,9 @@
+input: httpjson
+service: splunk-mock
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ username: test
+ password: test
+data_stream:
+ vars:
+ preserve_original_event: true
diff --git a/packages/windows/data_stream/powershell_operational/fields/beats.yml b/packages/windows/data_stream/powershell_operational/fields/beats.yml
new file mode 100644
index 00000000000..3c48f1f224f
--- /dev/null
+++ b/packages/windows/data_stream/powershell_operational/fields/beats.yml
@@ -0,0 +1,3 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
diff --git a/packages/windows/data_stream/powershell_operational/sample_event.json b/packages/windows/data_stream/powershell_operational/sample_event.json
new file mode 100644
index 00000000000..4bd2b964c63
--- /dev/null
+++ b/packages/windows/data_stream/powershell_operational/sample_event.json
@@ -0,0 +1,75 @@
+{
+ "@timestamp": "2020-05-13T09:04:04.755Z",
+ "agent": {
+ "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b",
+ "hostname": "docker-fleet-agent",
+ "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.13.0"
+ },
+ "data_stream": {
+ "dataset": "windows.powershell_operational",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "1.9.0"
+ },
+ "elastic_agent": {
+ "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322",
+ "snapshot": true,
+ "version": "7.13.0"
+ },
+ "event": {
+ "category": "process",
+ "code": "4105",
+ "created": "2021-06-01T10:24:43.254Z",
+ "dataset": "windows.powershell_operational",
+ "ingested": "2021-06-01T10:24:44.277129100Z",
+ "kind": "event",
+ "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
+ "provider": "Microsoft-Windows-PowerShell",
+ "type": "start"
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "log": {
+ "level": "verbose"
+ },
+ "powershell": {
+ "file": {
+ "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9"
+ },
+ "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623"
+ },
+ "tags": [
+ "forwarded"
+ ],
+ "user": {
+ "id": "S-1-5-21-1350058589-2282154016-2764056528-1000"
+ },
+ "winlog": {
+ "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}",
+ "channel": "Microsoft-Windows-PowerShell/Operational",
+ "computer_name": "vagrant",
+ "event_id": "4105",
+ "process": {
+ "pid": 4204,
+ "thread": {
+ "id": 1476
+ }
+ },
+ "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+ "provider_name": "Microsoft-Windows-PowerShell",
+ "record_id": "790",
+ "user": {
+ "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000"
+ },
+ "version": 1
+ }
+}
\ No newline at end of file
diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json
index ec482d8fcfa..da69045fb6c 100644
--- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json
+++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json
@@ -73,11 +73,11 @@
"go.microsoft.com"
],
"ip": [
- "_ingest._value"
+ "23.223.14.67"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303220Z",
+ "ingested": "2021-06-01T09:52:58.850006900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:23.223.14.67;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -169,11 +169,11 @@
"www.msn.com"
],
"ip": [
- "_ingest._value"
+ "204.79.197.203"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303229700Z",
+ "ingested": "2021-06-01T09:52:58.850024Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -253,7 +253,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303235100Z",
+ "ingested": "2021-06-01T09:52:58.850029500Z",
"code": "23",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T08:14:44.489978500Z'/\u003e\u003cEventRecordID\u003e612\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 08:14:44.489\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-c36f-5eb3-2c07-290000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2184\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2\u003c/Data\u003e\u003cData Name='IsExecutable'\u003etrue\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -345,11 +345,12 @@
"static-global-s-msn-com.akamaized.net"
],
"ip": [
- "_ingest._value"
+ "23.50.53.192",
+ "23.50.53.195"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303240500Z",
+ "ingested": "2021-06-01T09:52:58.850036900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:23.50.53.192;::ffff:23.50.53.195;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -446,11 +447,12 @@
"www.bing.com"
],
"ip": [
- "_ingest._value"
+ "204.79.197.200",
+ "13.107.21.200"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303245800Z",
+ "ingested": "2021-06-01T09:52:58.850046Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -518,7 +520,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303251100Z",
+ "ingested": "2021-06-01T09:52:58.850054600Z",
"code": "13",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:40.599567200Z'/\u003e\u003cEventRecordID\u003e2682\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:40.589\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1\u003c/Data\u003e\u003cData Name='Details'\u003eDWORD (0x00000004)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -593,7 +595,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303256200Z",
+ "ingested": "2021-06-01T09:52:58.850062800Z",
"code": "23",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T07:27:18.722136100Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 07:27:18.722\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-b2b6-5eb3-18ab-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e776\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=115106F5B338C87AE6836D50DD890DE3DA296367\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -685,11 +687,11 @@
"linkmaker.itunes.apple.com"
],
"ip": [
- "_ingest._value"
+ "23.64.104.249"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303261300Z",
+ "ingested": "2021-06-01T09:52:58.850071200Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -785,11 +787,14 @@
"confiant-integrations.global.ssl.fastly.net"
],
"ip": [
- "_ingest._value"
+ "151.101.1.194",
+ "151.101.65.194",
+ "151.101.129.194",
+ "151.101.193.194"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303266500Z",
+ "ingested": "2021-06-01T09:52:58.850079300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:151.101.1.194;::ffff:151.101.65.194;::ffff:151.101.129.194;::ffff:151.101.193.194;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -876,11 +881,11 @@
"c.msn.com"
],
"ip": [
- "_ingest._value"
+ "20.36.253.92"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303271700Z",
+ "ingested": "2021-06-01T09:52:58.850088Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:20.36.253.92;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -977,11 +982,12 @@
"c.bing.com"
],
"ip": [
- "_ingest._value"
+ "13.107.21.200",
+ "204.79.197.200"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303277Z",
+ "ingested": "2021-06-01T09:52:58.850096Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:13.107.21.200;::ffff:204.79.197.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -1063,11 +1069,11 @@
"contextual.media.net"
],
"ip": [
- "_ingest._value"
+ "23.52.167.93"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303282500Z",
+ "ingested": "2021-06-01T09:52:58.850099800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -1169,11 +1175,11 @@
"at.atwola.com"
],
"ip": [
- "_ingest._value"
+ "152.195.32.120"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303287700Z",
+ "ingested": "2021-06-01T09:52:58.850105500Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:152.195.32.120;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -1305,11 +1311,19 @@
"m.adnxs.com"
],
"ip": [
- "_ingest._value"
+ "204.13.192.56",
+ "204.13.192.120",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303293Z",
+ "ingested": "2021-06-01T09:52:58.850111500Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:204.13.192.56;::ffff:204.13.192.120;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -1396,11 +1410,11 @@
"cms.analytics.yahoo.com"
],
"ip": [
- "_ingest._value"
+ "74.6.137.78"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303316400Z",
+ "ingested": "2021-06-01T09:52:58.850118600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:74.6.137.78;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -1492,11 +1506,11 @@
"cvision.media.net"
],
"ip": [
- "_ingest._value"
+ "23.52.167.93"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303321600Z",
+ "ingested": "2021-06-01T09:52:58.850122900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -1593,11 +1607,12 @@
"g.bing.com"
],
"ip": [
- "_ingest._value"
+ "204.79.197.200",
+ "13.107.21.200"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303325100Z",
+ "ingested": "2021-06-01T09:52:58.850128900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -1679,11 +1694,11 @@
"lg3.media.net"
],
"ip": [
- "_ingest._value"
+ "23.52.167.93"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303329400Z",
+ "ingested": "2021-06-01T09:52:58.850133600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -1780,11 +1795,13 @@
"service.sp.advertising.com"
],
"ip": [
- "_ingest._value"
+ "54.88.96.255",
+ "34.233.100.168",
+ "54.209.58.223"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303334700Z",
+ "ingested": "2021-06-01T09:52:58.850139800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:54.88.96.255;::ffff:34.233.100.168;::ffff:54.209.58.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -1846,7 +1863,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303359900Z",
+ "ingested": "2021-06-01T09:52:58.850144300Z",
"code": "13",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.723248500Z'/\u003e\u003cEventRecordID\u003e2686\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -1937,11 +1954,11 @@
"sb.scorecardresearch.com"
],
"ip": [
- "_ingest._value"
+ "184.25.176.117"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303364200Z",
+ "ingested": "2021-06-01T09:52:58.850150100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:184.25.176.117;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -2033,11 +2050,11 @@
"otf.msn.com"
],
"ip": [
- "_ingest._value"
+ "40.114.54.223"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303368800Z",
+ "ingested": "2021-06-01T09:52:58.850158600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:40.114.54.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -2105,7 +2122,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303374200Z",
+ "ingested": "2021-06-01T09:52:58.850167200Z",
"code": "13",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.726009900Z'/\u003e\u003cEventRecordID\u003e2687\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2\u003c/Data\u003e\u003cData Name='Details'\u003eQWORD (0x00000000-0x00000005)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -2166,7 +2183,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303378400Z",
+ "ingested": "2021-06-01T09:52:58.850175900Z",
"code": "13",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818821400Z'/\u003e\u003cEventRecordID\u003e2690\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -2282,11 +2299,18 @@
"ping.chartbeat.net"
],
"ip": [
- "_ingest._value"
+ "35.171.101.225",
+ "34.196.57.87",
+ "34.194.164.46",
+ "34.233.181.142",
+ "34.194.167.169",
+ "34.193.242.172",
+ "34.234.152.11",
+ "34.206.12.124"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303382700Z",
+ "ingested": "2021-06-01T09:52:58.850184300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.171.101.225;::ffff:34.196.57.87;::ffff:34.194.164.46;::ffff:34.233.181.142;::ffff:34.194.167.169;::ffff:34.193.242.172;::ffff:34.234.152.11;::ffff:34.206.12.124;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -2382,11 +2406,14 @@
"clarium.freetls.fastly.net"
],
"ip": [
- "_ingest._value"
+ "151.101.194.79",
+ "151.101.2.79",
+ "151.101.66.79",
+ "151.101.130.79"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303386300Z",
+ "ingested": "2021-06-01T09:52:58.850192700Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:151.101.194.79;::ffff:151.101.2.79;::ffff:151.101.66.79;::ffff:151.101.130.79;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -2528,11 +2555,23 @@
"nym1-ib.adnxs.com"
],
"ip": [
- "_ingest._value"
+ "68.67.178.252",
+ "68.67.179.11",
+ "68.67.179.228",
+ "68.67.178.184",
+ "204.13.192.141",
+ "68.67.180.43",
+ "68.67.179.23",
+ "68.67.179.197",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303390800Z",
+ "ingested": "2021-06-01T09:52:58.850201100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:68.67.178.252;::ffff:68.67.179.11;::ffff:68.67.179.228;::ffff:68.67.178.184;::ffff:204.13.192.141;::ffff:68.67.180.43;::ffff:68.67.179.23;::ffff:68.67.179.197;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -2664,11 +2703,19 @@
"eb2.3lift.com"
],
"ip": [
- "_ingest._value"
+ "34.196.86.129",
+ "34.233.250.110",
+ "18.209.244.108",
+ "34.224.204.11",
+ "34.237.44.255",
+ "3.210.231.21",
+ "54.172.198.255",
+ "34.199.186.227",
+ "192.5.6.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303396300Z",
+ "ingested": "2021-06-01T09:52:58.850209300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:34.196.86.129;::ffff:34.233.250.110;::ffff:18.209.244.108;::ffff:34.224.204.11;::ffff:34.237.44.255;::ffff:3.210.231.21;::ffff:54.172.198.255;::ffff:34.199.186.227;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -2812,11 +2859,20 @@
"px.ads.linkedin.com"
],
"ip": [
- "_ingest._value"
+ "108.174.10.14",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303402400Z",
+ "ingested": "2021-06-01T09:52:58.850218400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:108.174.10.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -2918,11 +2974,13 @@
"login.live.com"
],
"ip": [
- "_ingest._value"
+ "40.90.23.239",
+ "40.90.23.213",
+ "40.90.23.154"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303407600Z",
+ "ingested": "2021-06-01T09:52:58.850227Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:40.90.23.239;::ffff:40.90.23.213;::ffff:40.90.23.154;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -3066,11 +3124,22 @@
"dis.criteo.com"
],
"ip": [
- "_ingest._value"
+ "74.119.119.150",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30",
+ "2001:502:1ca1::30",
+ "192.35.51.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303413500Z",
+ "ingested": "2021-06-01T09:52:58.850235700Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:74.119.119.150;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -3212,11 +3281,21 @@
"ib.adnxs.com"
],
"ip": [
- "_ingest._value"
+ "68.67.180.12",
+ "68.67.179.228",
+ "68.67.180.44",
+ "204.13.192.141",
+ "68.67.178.230",
+ "68.67.178.252",
+ "68.67.179.23",
+ "68.67.179.232",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303419Z",
+ "ingested": "2021-06-01T09:52:58.850244600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.180.12;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -3303,11 +3382,11 @@
"cm.g.doubleclick.net"
],
"ip": [
- "_ingest._value"
+ "172.217.10.34"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303425500Z",
+ "ingested": "2021-06-01T09:52:58.850253Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -3439,11 +3518,20 @@
"match.adsrvr.org"
],
"ip": [
- "_ingest._value"
+ "54.208.129.24",
+ "54.175.5.93",
+ "52.86.210.96",
+ "3.93.252.59",
+ "54.86.97.130",
+ "34.194.239.194",
+ "3.94.67.102",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303430900Z",
+ "ingested": "2021-06-01T09:52:58.850261400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:54.208.129.24;::ffff:54.175.5.93;::ffff:52.86.210.96;::ffff:3.93.252.59;::ffff:54.86.97.130;::ffff:34.194.239.194;::ffff:3.94.67.102;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -3535,11 +3623,11 @@
"ssum-sec.casalemedia.com"
],
"ip": [
- "_ingest._value"
+ "23.52.162.21"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303436500Z",
+ "ingested": "2021-06-01T09:52:58.850270Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -3671,11 +3759,20 @@
"protected-by.clarium.io"
],
"ip": [
- "_ingest._value"
+ "18.204.130.216",
+ "18.209.246.43",
+ "107.23.153.61",
+ "18.235.141.27",
+ "3.210.79.248",
+ "18.209.146.43",
+ "18.210.64.206",
+ "18.214.161.226",
+ "192.5.6.30",
+ "2001:503:a83e::2:30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303441800Z",
+ "ingested": "2021-06-01T09:52:58.850278600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:18.204.130.216;::ffff:18.209.246.43;::ffff:107.23.153.61;::ffff:18.235.141.27;::ffff:3.210.79.248;::ffff:18.209.146.43;::ffff:18.210.64.206;::ffff:18.214.161.226;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -3762,11 +3859,11 @@
"pagead2.googlesyndication.com"
],
"ip": [
- "_ingest._value"
+ "172.217.10.66"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303447300Z",
+ "ingested": "2021-06-01T09:52:58.850288Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -3853,11 +3950,11 @@
"googleads.g.doubleclick.net"
],
"ip": [
- "_ingest._value"
+ "172.217.10.66"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303452700Z",
+ "ingested": "2021-06-01T09:52:58.850300100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -3984,11 +4081,18 @@
"pixel.advertising.com"
],
"ip": [
- "_ingest._value"
+ "52.22.184.73",
+ "54.152.30.174",
+ "3.213.70.197",
+ "54.158.57.141",
+ "52.6.39.34",
+ "52.0.113.251",
+ "3.213.8.28",
+ "3.215.246.105"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303458100Z",
+ "ingested": "2021-06-01T09:52:58.850309500Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:52.22.184.73;::ffff:54.152.30.174;::ffff:3.213.70.197;::ffff:54.158.57.141;::ffff:52.6.39.34;::ffff:52.0.113.251;::ffff:3.213.8.28;::ffff:3.215.246.105;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -4105,11 +4209,15 @@
"onevideosync.uplynk.com"
],
"ip": [
- "_ingest._value"
+ "54.210.214.197",
+ "52.202.202.147",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303464200Z",
+ "ingested": "2021-06-01T09:52:58.850318300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:54.210.214.197;::ffff:52.202.202.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -4159,7 +4267,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303469900Z",
+ "ingested": "2021-06-01T09:52:58.850327Z",
"code": "16",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e16\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e16\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:37.933324000Z'/\u003e\u003cEventRecordID\u003e1\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4616' ThreadID='4724'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-3541430928-2051711210-1391384369-1001'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.933\u003c/Data\u003e\u003cData Name='Configuration'\u003eC:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n\u003c/Data\u003e\u003cData Name='ConfigurationFileHash'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -4244,11 +4352,11 @@
"ad.turn.com"
],
"ip": [
- "_ingest._value"
+ "50.116.194.21"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303475400Z",
+ "ingested": "2021-06-01T09:52:58.850335800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:50.116.194.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -4370,11 +4478,18 @@
"ups.analytics.yahoo.com"
],
"ip": [
- "_ingest._value"
+ "34.225.20.218",
+ "3.216.14.125",
+ "52.200.28.150",
+ "3.216.103.132",
+ "52.4.86.222",
+ "52.21.200.160",
+ "3.216.249.238",
+ "3.94.175.146"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303480800Z",
+ "ingested": "2021-06-01T09:52:58.850344700Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:34.225.20.218;::ffff:3.216.14.125;::ffff:52.200.28.150;::ffff:3.216.103.132;::ffff:52.4.86.222;::ffff:52.21.200.160;::ffff:3.216.249.238;::ffff:3.94.175.146;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -4511,11 +4626,21 @@
"pm.w55c.net"
],
"ip": [
- "_ingest._value"
+ "34.237.248.89",
+ "35.153.21.25",
+ "52.200.238.112",
+ "52.206.93.38",
+ "34.227.35.137",
+ "35.169.96.208",
+ "52.22.206.42",
+ "52.201.81.61",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303486300Z",
+ "ingested": "2021-06-01T09:52:58.850353300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:34.237.248.89;::ffff:35.153.21.25;::ffff:52.200.238.112;::ffff:52.206.93.38;::ffff:34.227.35.137;::ffff:35.169.96.208;::ffff:52.22.206.42;::ffff:52.201.81.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -4652,11 +4777,22 @@
"cm.eyereturn.com"
],
"ip": [
- "_ingest._value"
+ "35.186.239.238",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30",
+ "2001:502:1ca1::30",
+ "192.35.51.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303490300Z",
+ "ingested": "2021-06-01T09:52:58.850362200Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.239.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -4743,11 +4879,11 @@
"www.googletagservices.com"
],
"ip": [
- "_ingest._value"
+ "172.217.10.66"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303495200Z",
+ "ingested": "2021-06-01T09:52:58.850371100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -4884,11 +5020,21 @@
"cm.adgrx.com"
],
"ip": [
- "_ingest._value"
+ "173.231.178.117",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30",
+ "2001:502:1ca1::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303500600Z",
+ "ingested": "2021-06-01T09:52:58.850380Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:173.231.178.117;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -5020,11 +5166,19 @@
"csm2waycm-atl.netmng.com"
],
"ip": [
- "_ingest._value"
+ "104.193.83.156",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303505700Z",
+ "ingested": "2021-06-01T09:52:58.850388700Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:104.193.83.156;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -5076,7 +5230,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303509800Z",
+ "ingested": "2021-06-01T09:52:58.850397500Z",
"code": "4",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e4\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e2\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.011\u003c/Data\u003e\u003cData Name='State'\u003eStarted\u003c/Data\u003e\u003cData Name='Version'\u003e9.01\u003c/Data\u003e\u003cData Name='SchemaVersion'\u003e4.20\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -5161,11 +5315,11 @@
"pr-bh.ybp.yahoo.com"
],
"ip": [
- "_ingest._value"
+ "72.30.2.182"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303514500Z",
+ "ingested": "2021-06-01T09:52:58.850406100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:72.30.2.182;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -5247,11 +5401,11 @@
"ps.eyeota.net"
],
"ip": [
- "_ingest._value"
+ "3.83.220.223"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303520100Z",
+ "ingested": "2021-06-01T09:52:58.850469200Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:3.83.220.223;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -5348,7 +5502,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303524400Z",
+ "ingested": "2021-06-01T09:52:58.850479Z",
"code": "1",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e3\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.949\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-0010c73e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4860\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e9.01\u003c/Data\u003e\u003cData Name='Description'\u003eSystem activity monitor\u003c/Data\u003e\u003cData Name='Product'\u003eSysinternals Sysmon\u003c/Data\u003e\u003cData Name='Company'\u003eSysinternals - www.sysinternals.com\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0010f14d0000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e488\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\services.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\services.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -5457,11 +5611,12 @@
"idpix.media6degrees.com"
],
"ip": [
- "_ingest._value"
+ "204.2.197.201",
+ "204.2.197.211"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303528700Z",
+ "ingested": "2021-06-01T09:52:58.850488100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:204.2.197.201;::ffff:204.2.197.211;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -5588,11 +5743,19 @@
"tpc.googlesyndication.com"
],
"ip": [
- "_ingest._value"
+ "172.217.10.1",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303532400Z",
+ "ingested": "2021-06-01T09:52:58.850496800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:172.217.10.1;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -5695,7 +5858,7 @@
"name": "vagrant-2012-r2"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303537400Z",
+ "ingested": "2021-06-01T09:52:58.850505800Z",
"code": "1",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e4\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.964\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-00102c412a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5028\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\unsecapp.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eSink to receive asynchronous callbacks for WMI client application\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -5827,11 +5990,19 @@
"image2.pubmatic.com"
],
"ip": [
- "_ingest._value"
+ "162.248.19.147",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303543Z",
+ "ingested": "2021-06-01T09:52:58.850514500Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:162.248.19.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -5928,11 +6099,11 @@
"sam.msn.com"
],
"ip": [
- "_ingest._value"
+ "204.79.197.203"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303547800Z",
+ "ingested": "2021-06-01T09:52:58.850523100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -6069,11 +6240,22 @@
"ocsp.sca1b.amazontrust.com"
],
"ip": [
- "_ingest._value"
+ "52.85.89.250",
+ "52.85.89.94",
+ "52.85.89.22",
+ "52.85.89.139",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303553200Z",
+ "ingested": "2021-06-01T09:52:58.850531900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:52.85.89.250;::ffff:52.85.89.94;::ffff:52.85.89.22;::ffff:52.85.89.139;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -6170,11 +6352,12 @@
"c1.adform.net"
],
"ip": [
- "_ingest._value"
+ "185.167.164.43",
+ "185.167.164.42"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303558600Z",
+ "ingested": "2021-06-01T09:52:58.850540600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:185.167.164.43;::ffff:185.167.164.42;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -6291,11 +6474,16 @@
"urs.microsoft.com"
],
"ip": [
- "_ingest._value"
+ "40.84.140.84",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303564Z",
+ "ingested": "2021-06-01T09:52:58.850549300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:40.84.140.84;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -6387,11 +6575,11 @@
"dsum-sec.casalemedia.com"
],
"ip": [
- "_ingest._value"
+ "23.52.162.21"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303569500Z",
+ "ingested": "2021-06-01T09:52:58.850554200Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -6478,11 +6666,11 @@
"ocsp.godaddy.com"
],
"ip": [
- "_ingest._value"
+ "72.167.239.239"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303575Z",
+ "ingested": "2021-06-01T09:52:58.850558Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:72.167.239.239;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -6556,7 +6744,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303580300Z",
+ "ingested": "2021-06-01T09:52:58.850563800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802587100Z'/\u003e\u003cEventRecordID\u003e118\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -6630,7 +6818,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303585700Z",
+ "ingested": "2021-06-01T09:52:58.850570300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802678700Z'/\u003e\u003cEventRecordID\u003e119\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -6683,7 +6871,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303591200Z",
+ "ingested": "2021-06-01T09:52:58.850577800Z",
"code": "5",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e5\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -6813,11 +7001,20 @@
"ocsp.usertrust.com"
],
"ip": [
- "_ingest._value"
+ "151.139.128.14",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303596600Z",
+ "ingested": "2021-06-01T09:52:58.850586600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -6914,11 +7111,12 @@
"isrg.trustid.ocsp.identrust.com"
],
"ip": [
- "_ingest._value"
+ "23.50.53.179",
+ "23.50.53.176"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303602Z",
+ "ingested": "2021-06-01T09:52:58.850592300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.176;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -7005,11 +7203,11 @@
"ad.doubleclick.net"
],
"ip": [
- "_ingest._value"
+ "172.217.6.198"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303607400Z",
+ "ingested": "2021-06-01T09:52:58.850598500Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:172.217.6.198;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -7062,7 +7260,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303612700Z",
+ "ingested": "2021-06-01T09:52:58.850607300Z",
"code": "5",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e6\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010071e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4648\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\Downloads\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -7192,11 +7390,20 @@
"ocsp.sectigo.com"
],
"ip": [
- "_ingest._value"
- ]
- },
- "event": {
- "ingested": "2021-05-06T11:45:02.303618200Z",
+ "151.139.128.14",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
+ ]
+ },
+ "event": {
+ "ingested": "2021-06-01T09:52:58.850613100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -7296,7 +7503,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303623700Z",
+ "ingested": "2021-06-01T09:52:58.850618800Z",
"code": "1",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:39.012744700Z'/\u003e\u003cEventRecordID\u003e7\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:39.012\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce03-5c8f-0000-0010e9462a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4508\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eWMI Provider Host\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -7373,7 +7580,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303629300Z",
+ "ingested": "2021-06-01T09:52:58.850622900Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea00:20f:0:0:18a2:6e00:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ea00:203:3000:3000:3000:3000:3000:3300\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -7453,7 +7660,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303633400Z",
+ "ingested": "2021-06-01T09:52:58.850629900Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e9\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -7533,7 +7740,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303638500Z",
+ "ingested": "2021-06-01T09:52:58.850661Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -7613,7 +7820,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303643800Z",
+ "ingested": "2021-06-01T09:52:58.850667600Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -7712,11 +7919,12 @@
"ocsp.int-x3.letsencrypt.org"
],
"ip": [
- "_ingest._value"
+ "23.50.53.179",
+ "23.50.53.177"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303648600Z",
+ "ingested": "2021-06-01T09:52:58.850674600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.177;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -7848,11 +8056,20 @@
"ocsp.pki.goog"
],
"ip": [
- "_ingest._value"
+ "172.217.12.195",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303652700Z",
+ "ingested": "2021-06-01T09:52:58.850684100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:172.217.12.195;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -7929,7 +8146,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303657700Z",
+ "ingested": "2021-06-01T09:52:58.850705800Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e12\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -8018,11 +8235,11 @@
"googleads4.g.doubleclick.net"
],
"ip": [
- "_ingest._value"
+ "172.217.10.34"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303663400Z",
+ "ingested": "2021-06-01T09:52:58.850710900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -8106,7 +8323,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303667800Z",
+ "ingested": "2021-06-01T09:52:58.850717700Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e13\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -8210,11 +8427,14 @@
"images.taboola.com"
],
"ip": [
- "_ingest._value"
+ "151.101.2.2",
+ "151.101.66.2",
+ "151.101.130.2",
+ "151.101.194.2"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303672100Z",
+ "ingested": "2021-06-01T09:52:58.850743100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.2.2;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -8292,7 +8512,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303675800Z",
+ "ingested": "2021-06-01T09:52:58.850752100Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e14\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:e488:b85c:5262:ff86\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -8371,7 +8591,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303680300Z",
+ "ingested": "2021-06-01T09:52:58.850756600Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea00:20f:0:0:18a2:6e00:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ee000:fc:4300:6800:7200:6f00:6d00:6500\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -8449,7 +8669,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303686Z",
+ "ingested": "2021-06-01T09:52:58.850762700Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -8527,7 +8747,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303691400Z",
+ "ingested": "2021-06-01T09:52:58.850768700Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -8606,7 +8826,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303696700Z",
+ "ingested": "2021-06-01T09:52:58.850775700Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e18\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:616f:32fa:b04f:b419\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -8685,7 +8905,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303702200Z",
+ "ingested": "2021-06-01T09:52:58.850780300Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003ea9fe:b419:0:0:f880:2301:e0:ffff\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003ee000:fc:0:0:0:0:0:0\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -8767,7 +8987,7 @@
"name": "vagrant-2012-r2"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303707700Z",
+ "ingested": "2021-06-01T09:52:58.850786900Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e40.77.226.250\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -8849,7 +9069,7 @@
"name": "vagrant-2012-r2"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303713200Z",
+ "ingested": "2021-06-01T09:52:58.850795900Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e21\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.276\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -8928,7 +9148,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303718600Z",
+ "ingested": "2021-06-01T09:52:58.850804800Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.255.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -9032,11 +9252,14 @@
"api-s2s.taboola.com"
],
"ip": [
- "_ingest._value"
+ "151.101.66.2",
+ "151.101.130.2",
+ "151.101.194.2",
+ "151.101.2.2"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303724Z",
+ "ingested": "2021-06-01T09:52:58.850813400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -9123,11 +9346,12 @@
"x.bidswitch.net"
],
"ip": [
- "_ingest._value"
+ "35.231.30.22",
+ "35.196.212.198"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303729500Z",
+ "ingested": "2021-06-01T09:52:58.850822Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.231.30.22;::ffff:35.196.212.198;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -9259,11 +9483,20 @@
"pixel.adsafeprotected.com"
],
"ip": [
- "_ingest._value"
+ "199.166.0.26",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303734800Z",
+ "ingested": "2021-06-01T09:52:58.850827600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:199.166.0.26;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -9399,11 +9632,22 @@
"ml314.com"
],
"ip": [
- "_ingest._value"
+ "35.171.48.231",
+ "52.206.107.32",
+ "35.175.80.59",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303740200Z",
+ "ingested": "2021-06-01T09:52:58.850831400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.171.48.231;::ffff:52.206.107.32;::ffff:35.175.80.59;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -9540,11 +9784,22 @@
"aa.agkn.com"
],
"ip": [
- "_ingest._value"
+ "156.154.200.36",
+ "63.251.88.56",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30",
+ "2001:502:1ca1::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303745700Z",
+ "ingested": "2021-06-01T09:52:58.850837200Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:156.154.200.36;::ffff:63.251.88.56;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -9676,11 +9931,20 @@
"s0.2mdn.net"
],
"ip": [
- "_ingest._value"
+ "172.217.10.134",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303751Z",
+ "ingested": "2021-06-01T09:52:58.850843200Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:172.217.10.134;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -9777,11 +10041,12 @@
"b.scorecardresearch.com"
],
"ip": [
- "_ingest._value"
+ "23.50.53.195",
+ "23.50.53.185"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303756300Z",
+ "ingested": "2021-06-01T09:52:58.850850400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:23.50.53.195;::ffff:23.50.53.185;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -9883,11 +10148,14 @@
"edw.edmunds.com"
],
"ip": [
- "_ingest._value"
+ "151.101.130.2",
+ "151.101.194.2",
+ "151.101.2.2",
+ "151.101.66.2"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303761900Z",
+ "ingested": "2021-06-01T09:52:58.850859Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -9974,11 +10242,11 @@
"ocsp.digicert.com"
],
"ip": [
- "_ingest._value"
+ "72.21.91.29"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303767300Z",
+ "ingested": "2021-06-01T09:52:58.850867700Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -10110,11 +10378,20 @@
"pre-usermatch.targeting.unrulymedia.com"
],
"ip": [
- "_ingest._value"
+ "35.167.55.0",
+ "52.24.219.168",
+ "52.43.21.209",
+ "54.200.225.167",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303772800Z",
+ "ingested": "2021-06-01T09:52:58.850872800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:35.167.55.0;::ffff:52.24.219.168;::ffff:52.43.21.209;::ffff:54.200.225.167;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -10256,11 +10533,22 @@
"farm.plista.com"
],
"ip": [
- "_ingest._value"
+ "144.76.67.119",
+ "148.251.77.207",
+ "148.251.15.115",
+ "176.9.103.51",
+ "88.198.208.110",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303776900Z",
+ "ingested": "2021-06-01T09:52:58.850878800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:144.76.67.119;::ffff:148.251.77.207;::ffff:148.251.15.115;::ffff:176.9.103.51;::ffff:88.198.208.110;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -10392,11 +10680,19 @@
"beacon.krxd.net"
],
"ip": [
- "_ingest._value"
+ "50.17.180.35",
+ "50.19.103.40",
+ "50.19.210.19",
+ "50.19.117.149",
+ "50.19.222.244",
+ "50.19.222.88",
+ "50.19.81.100",
+ "54.204.10.30",
+ "192.5.6.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303781700Z",
+ "ingested": "2021-06-01T09:52:58.850887500Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:50.17.180.35;::ffff:50.19.103.40;::ffff:50.19.210.19;::ffff:50.19.117.149;::ffff:50.19.222.244;::ffff:50.19.222.88;::ffff:50.19.81.100;::ffff:54.204.10.30;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -10473,7 +10769,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303787Z",
+ "ingested": "2021-06-01T09:52:58.850895900Z",
"code": "3",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e169.254.180.25\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -10528,7 +10824,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303792500Z",
+ "ingested": "2021-06-01T09:52:58.850904400Z",
"code": "5",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.354274600Z'/\u003e\u003cEventRecordID\u003e24\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.350\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccc6-5c8f-0000-001005082900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4832\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -10579,7 +10875,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303796700Z",
+ "ingested": "2021-06-01T09:52:58.850912500Z",
"code": "5",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.364042800Z'/\u003e\u003cEventRecordID\u003e25\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.364\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cccc-5c8f-0000-0010e8272900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3208\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -10640,7 +10936,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303801300Z",
+ "ingested": "2021-06-01T09:52:58.850916900Z",
"code": "2",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.402119100Z'/\u003e\u003cEventRecordID\u003e26\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -10701,7 +10997,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303806800Z",
+ "ingested": "2021-06-01T09:52:58.850921400Z",
"code": "2",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e27\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -10762,7 +11058,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303811Z",
+ "ingested": "2021-06-01T09:52:58.850925500Z",
"code": "2",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e28\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.028\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -10823,7 +11119,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303815200Z",
+ "ingested": "2021-06-01T09:52:58.850931600Z",
"code": "2",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e29\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:51:54.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -10881,7 +11177,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303820Z",
+ "ingested": "2021-06-01T09:52:58.850940400Z",
"code": "5",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e30\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccab-5c8f-0000-001064eb2700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2680\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -10942,7 +11238,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.303824500Z",
+ "ingested": "2021-06-01T09:52:58.850946800Z",
"code": "2",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e31\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:08.496\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -11032,11 +11328,11 @@
"dsum.casalemedia.com"
],
"ip": [
- "_ingest._value"
+ "23.52.162.21"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303829300Z",
+ "ingested": "2021-06-01T09:52:58.850952400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -11173,11 +11469,21 @@
"sync.mathtag.com"
],
"ip": [
- "_ingest._value"
+ "216.200.232.235",
+ "216.200.232.201",
+ "74.121.138.26",
+ "216.200.232.185",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303834700Z",
+ "ingested": "2021-06-01T09:52:58.850987900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:216.200.232.235;::ffff:216.200.232.201;::ffff:74.121.138.26;::ffff:216.200.232.185;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -11269,11 +11575,11 @@
"status.rapidssl.com"
],
"ip": [
- "_ingest._value"
+ "72.21.91.29"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303840500Z",
+ "ingested": "2021-06-01T09:52:58.850997900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -11410,11 +11716,21 @@
"sync.extend.tv"
],
"ip": [
- "_ingest._value"
+ "34.197.195.131",
+ "34.192.39.82",
+ "34.199.231.204",
+ "34.199.113.81",
+ "34.197.3.157",
+ "34.205.112.156",
+ "34.195.29.8",
+ "34.201.247.123",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303846Z",
+ "ingested": "2021-06-01T09:52:58.851006800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:34.197.195.131;::ffff:34.192.39.82;::ffff:34.199.231.204;::ffff:34.199.113.81;::ffff:34.197.3.157;::ffff:34.205.112.156;::ffff:34.195.29.8;::ffff:34.201.247.123;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -11546,11 +11862,20 @@
"ocsp.comodoca.com"
],
"ip": [
- "_ingest._value"
+ "151.139.128.14",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303895400Z",
+ "ingested": "2021-06-01T09:52:58.851015400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -11662,11 +11987,14 @@
"sync-tm.everesttech.net"
],
"ip": [
- "_ingest._value"
+ "151.101.2.49",
+ "151.101.66.49",
+ "151.101.130.49",
+ "151.101.194.49"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303899300Z",
+ "ingested": "2021-06-01T09:52:58.851023900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;::ffff:151.101.194.49;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -11803,11 +12131,22 @@
"idsync.rlcdn.com"
],
"ip": [
- "_ingest._value"
+ "34.95.92.78",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30",
+ "2001:502:1ca1::30",
+ "192.35.51.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303903500Z",
+ "ingested": "2021-06-01T09:52:58.851032400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:34.95.92.78;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -11919,11 +12258,16 @@
"cm.adform.net"
],
"ip": [
- "_ingest._value"
+ "37.157.2.239",
+ "37.157.6.253",
+ "37.157.2.238",
+ "37.157.4.25",
+ "37.157.4.24",
+ "37.157.6.247"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303907100Z",
+ "ingested": "2021-06-01T09:52:58.851041300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:37.157.2.239;::ffff:37.157.6.253;::ffff:37.157.2.238;::ffff:37.157.4.25;::ffff:37.157.4.24;::ffff:37.157.6.247;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -12005,11 +12349,11 @@
"dm.hybrid.ai"
],
"ip": [
- "_ingest._value"
+ "37.18.16.16"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303913300Z",
+ "ingested": "2021-06-01T09:52:58.851049600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:37.18.16.16;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -12141,11 +12485,20 @@
"static.adsafeprotected.com"
],
"ip": [
- "_ingest._value"
+ "199.166.0.32",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303918400Z",
+ "ingested": "2021-06-01T09:52:58.851058100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:199.166.0.32;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -12247,11 +12600,14 @@
"trc.taboola.com"
],
"ip": [
- "_ingest._value"
+ "151.101.130.2",
+ "151.101.194.2",
+ "151.101.2.2",
+ "151.101.66.2"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303923400Z",
+ "ingested": "2021-06-01T09:52:58.851066800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -12332,11 +12688,11 @@
"pippio.com"
],
"ip": [
- "_ingest._value"
+ "107.178.254.65"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303928800Z",
+ "ingested": "2021-06-01T09:52:58.851075600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:107.178.254.65;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -12468,11 +12824,20 @@
"pixel-sync.sitescout.com"
],
"ip": [
- "_ingest._value"
+ "209.15.36.34",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303934500Z",
+ "ingested": "2021-06-01T09:52:58.851084100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:209.15.36.34;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -12604,11 +12969,21 @@
"prod.y-medialink.com"
],
"ip": [
- "_ingest._value"
+ "35.186.202.217",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30",
+ "2001:502:1ca1::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303939800Z",
+ "ingested": "2021-06-01T09:52:58.851092500Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.202.217;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -12720,11 +13095,16 @@
"jadserve.postrelease.com"
],
"ip": [
- "_ingest._value"
+ "54.80.117.178",
+ "3.217.22.176",
+ "35.153.215.15",
+ "52.207.54.164",
+ "52.204.186.237",
+ "52.86.46.105"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303943700Z",
+ "ingested": "2021-06-01T09:52:58.851101100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:54.80.117.178;::ffff:3.217.22.176;::ffff:35.153.215.15;::ffff:52.207.54.164;::ffff:52.204.186.237;::ffff:52.86.46.105;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -12856,11 +13236,20 @@
"appnexus-partners.tremorhub.com"
],
"ip": [
- "_ingest._value"
+ "107.21.43.184",
+ "54.164.220.86",
+ "52.72.172.174",
+ "3.209.65.250",
+ "3.94.51.187",
+ "34.193.211.130",
+ "18.214.47.10",
+ "18.214.151.246",
+ "192.5.6.30",
+ "2001:503:a83e::2:30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303948400Z",
+ "ingested": "2021-06-01T09:52:58.851109900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:107.21.43.184;::ffff:54.164.220.86;::ffff:52.72.172.174;::ffff:3.209.65.250;::ffff:3.94.51.187;::ffff:34.193.211.130;::ffff:18.214.47.10;::ffff:18.214.151.246;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -12982,11 +13371,17 @@
"x.dlx.addthis.com"
],
"ip": [
- "_ingest._value"
+ "107.21.14.70",
+ "107.23.33.163",
+ "23.22.192.59",
+ "100.24.96.238",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303954900Z",
+ "ingested": "2021-06-01T09:52:58.851118300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:107.21.14.70;::ffff:107.23.33.163;::ffff:23.22.192.59;::ffff:100.24.96.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -13108,11 +13503,17 @@
"dh.serving-sys.com"
],
"ip": [
- "_ingest._value"
+ "18.205.112.71",
+ "50.19.40.146",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303960500Z",
+ "ingested": "2021-06-01T09:52:58.851126700Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:18.205.112.71;::ffff:50.19.40.146;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -13254,11 +13655,22 @@
"match.sharethrough.com"
],
"ip": [
- "_ingest._value"
+ "52.55.160.246",
+ "3.211.67.240",
+ "35.173.61.59",
+ "34.233.179.235",
+ "34.228.105.237",
+ "52.7.23.213",
+ "52.201.177.113",
+ "34.235.70.251",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303965Z",
+ "ingested": "2021-06-01T09:52:58.851135300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:52.55.160.246;::ffff:3.211.67.240;::ffff:35.173.61.59;::ffff:34.233.179.235;::ffff:34.228.105.237;::ffff:52.7.23.213;::ffff:52.201.177.113;::ffff:34.235.70.251;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -13390,11 +13802,21 @@
"tags.rd.linksynergy.com"
],
"ip": [
- "_ingest._value"
- ]
- },
- "event": {
- "ingested": "2021-05-06T11:45:02.303969700Z",
+ "35.241.16.233",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30",
+ "2001:502:1ca1::30"
+ ]
+ },
+ "event": {
+ "ingested": "2021-06-01T09:52:58.851143800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.241.16.233;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -13521,11 +13943,18 @@
"rtb-csync.smartadserver.com"
],
"ip": [
- "_ingest._value"
+ "199.187.193.166",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303974900Z",
+ "ingested": "2021-06-01T09:52:58.851152400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:199.187.193.166;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -13657,11 +14086,20 @@
"sc.iasds01.com"
],
"ip": [
- "_ingest._value"
+ "199.166.0.200",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303982200Z",
+ "ingested": "2021-06-01T09:52:58.851161Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:199.166.0.200;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -13793,11 +14231,20 @@
"dt.adsafeprotected.com"
],
"ip": [
- "_ingest._value"
+ "104.244.38.20",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303988Z",
+ "ingested": "2021-06-01T09:52:58.851169400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:104.244.38.20;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -13889,11 +14336,11 @@
"status.thawte.com"
],
"ip": [
- "_ingest._value"
+ "72.21.91.29"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303993400Z",
+ "ingested": "2021-06-01T09:52:58.851177800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -14032,11 +14479,18 @@
"ads.stickyadstv.com"
],
"ip": [
- "_ingest._value"
+ "38.134.110.101",
+ "38.134.110.143",
+ "38.134.110.141",
+ "38.134.110.171",
+ "38.134.110.177",
+ "38.134.110.115",
+ "38.134.110.104",
+ "38.134.110.114"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.303999300Z",
+ "ingested": "2021-06-01T09:52:58.851186500Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:38.134.110.101;::ffff:38.134.110.143;::ffff:38.134.110.141;::ffff:38.134.110.171;::ffff:38.134.110.177;::ffff:38.134.110.115;::ffff:38.134.110.104;::ffff:38.134.110.114;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -14128,11 +14582,11 @@
"hbx.media.net"
],
"ip": [
- "_ingest._value"
+ "23.52.167.93"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304004900Z",
+ "ingested": "2021-06-01T09:52:58.851195Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -14234,11 +14688,14 @@
"match.taboola.com"
],
"ip": [
- "_ingest._value"
+ "151.101.194.49",
+ "151.101.2.49",
+ "151.101.66.49",
+ "151.101.130.49"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304009400Z",
+ "ingested": "2021-06-01T09:52:58.851203300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:151.101.194.49;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -14330,11 +14787,12 @@
"img-s-msn-com.akamaized.net"
],
"ip": [
- "_ingest._value"
+ "23.50.53.185",
+ "23.50.53.194"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304013500Z",
+ "ingested": "2021-06-01T09:52:58.851212Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:23.50.53.185;::ffff:23.50.53.194;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -14426,11 +14884,12 @@
"static-entertainment-eus-s-msn-com.akamaized.net"
],
"ip": [
- "_ingest._value"
+ "23.50.53.194",
+ "23.50.53.186"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304018300Z",
+ "ingested": "2021-06-01T09:52:58.851220400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -14522,11 +14981,11 @@
"radarmaps.weather.microsoft.com"
],
"ip": [
- "_ingest._value"
+ "23.217.149.91"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304022800Z",
+ "ingested": "2021-06-01T09:52:58.851229400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:23.217.149.91;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -14618,11 +15077,12 @@
"static-entertainment-eus-s-msn-com.akamaized.net"
],
"ip": [
- "_ingest._value"
+ "23.50.53.194",
+ "23.50.53.186"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304027300Z",
+ "ingested": "2021-06-01T09:52:58.851238100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -14709,11 +15169,11 @@
"tag.sp.advertising.com"
],
"ip": [
- "_ingest._value"
+ "152.195.32.163"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304031500Z",
+ "ingested": "2021-06-01T09:52:58.851246900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:152.195.32.163;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -14810,11 +15270,12 @@
"www.bing.com"
],
"ip": [
- "_ingest._value"
+ "204.79.197.200",
+ "13.107.21.200"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304036100Z",
+ "ingested": "2021-06-01T09:52:58.851255400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -14906,11 +15367,11 @@
"cdn.doubleverify.com"
],
"ip": [
- "_ingest._value"
+ "23.52.164.109"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304040400Z",
+ "ingested": "2021-06-01T09:52:58.851260500Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -15014,11 +15475,11 @@
"cdn3.doubleverify.com"
],
"ip": [
- "_ingest._value"
+ "23.52.164.109"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304045Z",
+ "ingested": "2021-06-01T09:52:58.851266900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -15110,11 +15571,11 @@
"rtb0.doubleverify.com"
],
"ip": [
- "_ingest._value"
+ "204.154.111.122"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304050100Z",
+ "ingested": "2021-06-01T09:52:58.851273800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -15206,11 +15667,11 @@
"dev.virtualearth.net"
],
"ip": [
- "_ingest._value"
+ "20.36.236.157"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304054100Z",
+ "ingested": "2021-06-01T09:52:58.851280600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:20.36.236.157;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -15302,11 +15763,11 @@
"t.ssl.ak.dynamic.tiles.virtualearth.net"
],
"ip": [
- "_ingest._value"
+ "23.52.161.238"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304059100Z",
+ "ingested": "2021-06-01T09:52:58.851289300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:23.52.161.238;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -15443,11 +15904,22 @@
"rp.gwallet.com"
],
"ip": [
- "_ingest._value"
+ "74.217.253.61",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30",
+ "2001:502:1ca1::30",
+ "192.35.51.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304064700Z",
+ "ingested": "2021-06-01T09:52:58.851297600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:74.217.253.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -15549,11 +16021,14 @@
"ads.yahoo.com"
],
"ip": [
- "_ingest._value"
+ "98.139.225.43",
+ "98.138.49.44",
+ "72.30.3.43",
+ "216.155.194.56"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304070400Z",
+ "ingested": "2021-06-01T09:52:58.851305400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:98.139.225.43;::ffff:98.138.49.44;::ffff:72.30.3.43;::ffff:216.155.194.56;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -15652,11 +16127,13 @@
"um.simpli.fi"
],
"ip": [
- "_ingest._value"
+ "169.55.104.49",
+ "169.60.66.35",
+ "169.61.103.241"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304075500Z",
+ "ingested": "2021-06-01T09:52:58.851311800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:169.55.104.49;::ffff:169.60.66.35;::ffff:169.61.103.241;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -15788,11 +16265,21 @@
"mpp.vindicosuite.com"
],
"ip": [
- "_ingest._value"
+ "35.186.236.204",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30",
+ "2001:502:1ca1::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304080900Z",
+ "ingested": "2021-06-01T09:52:58.851320300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:35.186.236.204;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -15874,11 +16361,11 @@
"sync.1rx.io"
],
"ip": [
- "_ingest._value"
+ "8.41.222.152"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304086300Z",
+ "ingested": "2021-06-01T09:52:58.851326800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:8.41.222.152;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -15970,11 +16457,11 @@
"sync.teads.tv"
],
"ip": [
- "_ingest._value"
+ "23.52.160.7"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304091700Z",
+ "ingested": "2021-06-01T09:52:58.851331Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:23.52.160.7;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -16111,11 +16598,21 @@
"s.thebrighttag.com"
],
"ip": [
- "_ingest._value"
+ "3.15.109.176",
+ "52.15.225.252",
+ "3.18.121.79",
+ "3.15.101.187",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304097100Z",
+ "ingested": "2021-06-01T09:52:58.851336400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:3.15.109.176;::ffff:52.15.225.252;::ffff:3.18.121.79;::ffff:3.15.101.187;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -16202,11 +16699,11 @@
"t.a3cloud.net"
],
"ip": [
- "_ingest._value"
+ "54.192.55.189"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304102400Z",
+ "ingested": "2021-06-01T09:52:58.851342400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:54.192.55.189;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -16298,11 +16795,11 @@
"tps618.doubleverify.com"
],
"ip": [
- "_ingest._value"
+ "204.154.111.122"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304108200Z",
+ "ingested": "2021-06-01T09:52:58.851348200Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -16439,11 +16936,19 @@
"dpm.demdex.net"
],
"ip": [
- "_ingest._value"
+ "54.157.69.185",
+ "18.209.139.81",
+ "18.233.36.36",
+ "52.54.198.81",
+ "52.55.201.28",
+ "18.210.34.44",
+ "52.72.163.149",
+ "18.232.198.130",
+ "192.5.6.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304113600Z",
+ "ingested": "2021-06-01T09:52:58.851354800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:54.157.69.185;::ffff:18.209.139.81;::ffff:18.233.36.36;::ffff:52.54.198.81;::ffff:52.55.201.28;::ffff:18.210.34.44;::ffff:52.72.163.149;::ffff:18.232.198.130;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -16585,11 +17090,21 @@
"secure.adnxs.com"
],
"ip": [
- "_ingest._value"
+ "68.67.179.228",
+ "68.67.180.44",
+ "204.13.192.141",
+ "68.67.178.230",
+ "68.67.178.252",
+ "68.67.179.23",
+ "68.67.179.232",
+ "68.67.180.12",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304119100Z",
+ "ingested": "2021-06-01T09:52:58.851359300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;::ffff:68.67.180.12;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -16681,11 +17196,11 @@
"tps.doubleverify.com"
],
"ip": [
- "_ingest._value"
+ "204.154.111.122"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304124500Z",
+ "ingested": "2021-06-01T09:52:58.851363300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -16822,11 +17337,21 @@
"i.liadm.com"
],
"ip": [
- "_ingest._value"
+ "52.71.175.22",
+ "52.71.208.229",
+ "52.86.201.172",
+ "52.7.6.198",
+ "54.152.156.164",
+ "54.152.56.202",
+ "54.164.15.83",
+ "52.86.191.75",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304130100Z",
+ "ingested": "2021-06-01T09:52:58.851369200Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:52.71.175.22;::ffff:52.71.208.229;::ffff:52.86.201.172;::ffff:52.7.6.198;::ffff:54.152.156.164;::ffff:54.152.56.202;::ffff:54.164.15.83;::ffff:52.86.191.75;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -16963,11 +17488,22 @@
"pixel.s3xified.com"
],
"ip": [
- "_ingest._value"
+ "67.231.251.189",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30",
+ "2001:502:1ca1::30",
+ "192.35.51.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304135700Z",
+ "ingested": "2021-06-01T09:52:58.851374Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:67.231.251.189;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -17099,11 +17635,21 @@
"router.infolinks.com"
],
"ip": [
- "_ingest._value"
+ "104.20.252.85",
+ "104.20.253.85",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304141Z",
+ "ingested": "2021-06-01T09:52:58.851377900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.20.252.85;::ffff:104.20.253.85;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -17230,11 +17776,20 @@
"grey.erne.co"
],
"ip": [
- "_ingest._value"
+ "94.23.171.206",
+ "188.165.137.78",
+ "87.98.128.108",
+ "94.23.73.243",
+ "94.23.144.220",
+ "87.98.228.78",
+ "188.165.27.173",
+ "87.98.252.5",
+ "188.165.4.142",
+ "87.98.242.60"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304145200Z",
+ "ingested": "2021-06-01T09:52:58.851384900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:94.23.171.206;::ffff:188.165.137.78;::ffff:87.98.128.108;::ffff:94.23.73.243;::ffff:94.23.144.220;::ffff:87.98.228.78;::ffff:188.165.27.173;::ffff:87.98.252.5;::ffff:188.165.4.142;::ffff:87.98.242.60;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -17371,11 +17926,22 @@
"sync.jivox.com"
],
"ip": [
- "_ingest._value"
+ "54.243.145.203",
+ "54.221.211.153",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30",
+ "2001:502:1ca1::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304149900Z",
+ "ingested": "2021-06-01T09:52:58.851395900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:54.243.145.203;::ffff:54.221.211.153;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -17717,11 +18283,62 @@
"b1sync.zemanta.com"
],
"ip": [
- "_ingest._value"
+ "207.244.121.25",
+ "108.59.0.1",
+ "162.210.196.115",
+ "207.244.94.20",
+ "108.59.0.12",
+ "207.244.121.65",
+ "162.210.199.69",
+ "207.244.76.83",
+ "162.210.197.137",
+ "207.244.108.217",
+ "207.244.121.137",
+ "207.244.67.99",
+ "198.7.56.229",
+ "198.7.56.231",
+ "108.59.4.172",
+ "108.62.117.43",
+ "108.59.4.171",
+ "207.244.121.27",
+ "207.244.71.67",
+ "207.244.121.70",
+ "199.58.84.25",
+ "207.244.67.98",
+ "162.210.196.116",
+ "207.244.73.10",
+ "207.244.110.3",
+ "108.59.4.173",
+ "108.59.0.8",
+ "207.244.71.88",
+ "207.244.121.73",
+ "207.244.69.231",
+ "108.59.0.2",
+ "207.244.121.74",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30",
+ "2001:502:1ca1::30",
+ "192.35.51.30",
+ "2001:503:d414::30",
+ "192.42.93.30",
+ "2001:503:eea3::30",
+ "192.54.112.30",
+ "2001:502:8cc::30",
+ "192.43.172.30",
+ "2001:503:39c1::30",
+ "192.48.79.30",
+ "2001:502:7094::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304155300Z",
+ "ingested": "2021-06-01T09:52:58.851405Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:207.244.121.25;::ffff:108.59.0.1;::ffff:162.210.196.115;::ffff:207.244.94.20;::ffff:108.59.0.12;::ffff:207.244.121.65;::ffff:162.210.199.69;::ffff:207.244.76.83;::ffff:162.210.197.137;::ffff:207.244.108.217;::ffff:207.244.121.137;::ffff:207.244.67.99;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:108.59.4.172;::ffff:108.62.117.43;::ffff:108.59.4.171;::ffff:207.244.121.27;::ffff:207.244.71.67;::ffff:207.244.121.70;::ffff:199.58.84.25;::ffff:207.244.67.98;::ffff:162.210.196.116;::ffff:207.244.73.10;::ffff:207.244.110.3;::ffff:108.59.4.173;::ffff:108.59.0.8;::ffff:207.244.71.88;::ffff:207.244.121.73;::ffff:207.244.69.231;::ffff:108.59.0.2;::ffff:207.244.121.74;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;2001:503:d414::30;192.42.93.30;2001:503:eea3::30;192.54.112.30;2001:502:8cc::30;192.43.172.30;2001:503:39c1::30;192.48.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -17873,11 +18490,24 @@
"tg.socdm.com"
],
"ip": [
- "_ingest._value"
+ "124.146.215.43",
+ "202.241.208.53",
+ "124.146.215.46",
+ "202.241.208.52",
+ "124.146.215.48",
+ "124.146.215.45",
+ "202.241.208.54",
+ "124.146.215.47",
+ "124.146.215.42",
+ "124.146.215.44",
+ "202.241.208.55",
+ "202.241.208.56",
+ "192.5.6.30",
+ "2001:503:a83e::2:30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304160100Z",
+ "ingested": "2021-06-01T09:52:58.851413400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:124.146.215.43;::ffff:202.241.208.53;::ffff:124.146.215.46;::ffff:202.241.208.52;::ffff:124.146.215.48;::ffff:124.146.215.45;::ffff:202.241.208.54;::ffff:124.146.215.47;::ffff:124.146.215.42;::ffff:124.146.215.44;::ffff:202.241.208.55;::ffff:202.241.208.56;192.5.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -17971,11 +18601,11 @@
"prebid.adnxs.com"
],
"ip": [
- "_ingest._value"
+ "68.67.153.75"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304164200Z",
+ "ingested": "2021-06-01T09:52:58.851421800Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:68.67.153.75;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -18072,11 +18702,11 @@
"ul1.dvtps.com"
],
"ip": [
- "_ingest._value"
+ "204.154.111.122"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304169Z",
+ "ingested": "2021-06-01T09:52:58.851430600Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -18150,7 +18780,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304173500Z",
+ "ingested": "2021-06-01T09:52:58.851439100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067946300Z'/\u003e\u003cEventRecordID\u003e200\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.912\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -18242,11 +18872,11 @@
"tags.bluekai.com"
],
"ip": [
- "_ingest._value"
+ "23.3.125.199"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304177800Z",
+ "ingested": "2021-06-01T09:52:58.851447500Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:23.3.125.199;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -18383,11 +19013,22 @@
"cdnjs.cloudflare.com"
],
"ip": [
- "_ingest._value"
+ "104.19.195.151",
+ "104.19.199.151",
+ "104.19.198.151",
+ "104.19.197.151",
+ "104.19.196.151",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304182Z",
+ "ingested": "2021-06-01T09:52:58.851455900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.19.195.151;::ffff:104.19.199.151;::ffff:104.19.198.151;::ffff:104.19.197.151;::ffff:104.19.196.151;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -18524,11 +19165,22 @@
"pixel.onaudience.com"
],
"ip": [
- "_ingest._value"
+ "85.194.243.23",
+ "85.194.243.239",
+ "85.194.240.137",
+ "85.194.242.103",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304185700Z",
+ "ingested": "2021-06-01T09:52:58.851464500Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:85.194.243.23;::ffff:85.194.243.239;::ffff:85.194.240.137;::ffff:85.194.242.103;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -18620,11 +19272,11 @@
"status.geotrust.com"
],
"ip": [
- "_ingest._value"
+ "72.21.91.29"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304190400Z",
+ "ingested": "2021-06-01T09:52:58.851473Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -18756,11 +19408,20 @@
"ocsp.trust-provider.com"
],
"ip": [
- "_ingest._value"
+ "151.139.128.14",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304195800Z",
+ "ingested": "2021-06-01T09:52:58.851478300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -18899,11 +19560,20 @@
"ocsp.comodoca4.com"
],
"ip": [
- "_ingest._value"
+ "151.139.128.14",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304201300Z",
+ "ingested": "2021-06-01T09:52:58.851481900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -19035,11 +19705,19 @@
"sync.crwdcntrl.net"
],
"ip": [
- "_ingest._value"
+ "52.4.111.14",
+ "52.205.68.184",
+ "52.0.28.154",
+ "34.225.82.232",
+ "18.213.13.245",
+ "52.22.171.66",
+ "52.207.199.229",
+ "52.72.57.144",
+ "192.5.6.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304206600Z",
+ "ingested": "2021-06-01T09:52:58.851487900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:52.4.111.14;::ffff:52.205.68.184;::ffff:52.0.28.154;::ffff:34.225.82.232;::ffff:18.213.13.245;::ffff:52.22.171.66;::ffff:52.207.199.229;::ffff:52.72.57.144;192.5.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -19161,11 +19839,16 @@
"match.sync.ad.cpe.dotomi.com"
],
"ip": [
- "_ingest._value"
+ "159.127.42.114",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304212Z",
+ "ingested": "2021-06-01T09:52:58.851494Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:159.127.42.114;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -19264,11 +19947,11 @@
"tps10230.doubleverify.com"
],
"ip": [
- "_ingest._value"
+ "204.154.111.122"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304217300Z",
+ "ingested": "2021-06-01T09:52:58.851501500Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -19367,11 +20050,11 @@
"tps10221.doubleverify.com"
],
"ip": [
- "_ingest._value"
+ "204.154.111.122"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304222700Z",
+ "ingested": "2021-06-01T09:52:58.851510200Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -19503,11 +20186,20 @@
"www.facebook.com"
],
"ip": [
- "_ingest._value"
+ "31.13.71.36",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30",
+ "192.12.94.30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304228Z",
+ "ingested": "2021-06-01T09:52:58.851515200Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:31.13.71.36;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -19614,11 +20306,11 @@
"platform.twitter.com"
],
"ip": [
- "_ingest._value"
+ "192.229.163.25"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304233400Z",
+ "ingested": "2021-06-01T09:52:58.851519300Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -19755,11 +20447,22 @@
"syndication.twitter.com"
],
"ip": [
- "_ingest._value"
+ "104.244.42.8",
+ "104.244.42.200",
+ "104.244.42.136",
+ "104.244.42.72",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30",
+ "192.31.80.30",
+ "2001:500:856e::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304238800Z",
+ "ingested": "2021-06-01T09:52:58.851525100Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:104.244.42.8;::ffff:104.244.42.200;::ffff:104.244.42.136;::ffff:104.244.42.72;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -19846,11 +20549,11 @@
"ade.googlesyndication.com"
],
"ip": [
- "_ingest._value"
+ "172.217.10.34"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304244300Z",
+ "ingested": "2021-06-01T09:52:58.851530Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -19942,11 +20645,11 @@
"iecvlist.microsoft.com"
],
"ip": [
- "_ingest._value"
+ "72.21.81.200"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304249800Z",
+ "ingested": "2021-06-01T09:52:58.851537400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -20033,11 +20736,11 @@
"tsfe.trafficshaping.dsp.mp.microsoft.com"
],
"ip": [
- "_ingest._value"
+ "40.77.232.95"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304255400Z",
+ "ingested": "2021-06-01T09:52:58.851545900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:40.77.232.95;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -20111,7 +20814,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304260800Z",
+ "ingested": "2021-06-01T09:52:58.851554400Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:22.432153100Z'/\u003e\u003cEventRecordID\u003e221\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:20.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003eisatap.local.crowbird.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -20182,7 +20885,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304267900Z",
+ "ingested": "2021-06-01T09:52:58.851562900Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:42.554539300Z'/\u003e\u003cEventRecordID\u003e230\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:40.504\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e9f7-5d2f-0000-001031039c00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e676\u003c/Data\u003e\u003cData Name='QueryName'\u003epuppet\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -20253,7 +20956,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304273600Z",
+ "ingested": "2021-06-01T09:52:58.851571700Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:40:42.447293700Z'/\u003e\u003cEventRecordID\u003e231\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:40:40.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-001016f70000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e636\u003c/Data\u003e\u003cData Name='QueryName'\u003ewpad\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -20350,11 +21053,11 @@
"v10.vortex-win.data.microsoft.com"
],
"ip": [
- "_ingest._value"
+ "65.55.44.109"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304279Z",
+ "ingested": "2021-06-01T09:52:58.851577Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:65.55.44.109;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -20441,11 +21144,11 @@
"settings-win.data.microsoft.com"
],
"ip": [
- "_ingest._value"
+ "20.36.218.63"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304283800Z",
+ "ingested": "2021-06-01T09:52:58.851583200Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:20.36.218.63;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -20543,7 +21246,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.304287400Z",
+ "ingested": "2021-06-01T09:52:58.851590300Z",
"code": "1",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-27T20:00:14.324234100Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='7144' ThreadID='6876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-27 20:00:14.320\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-7c4e-5f98-5803-000000000500}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\notepad.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.475 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eNotepad\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eNOTEPAD.EXE\u003c/Data\u003e\u003cData Name='CommandLine'\u003e\"C:\\Windows\\system32\\notepad.exe\" \u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Users\\vagrant\\\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{9f32b55f-6fdd-5f98-e7c9-020000000000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x2c9e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e1\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eMedium\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=B6D237154F2E528F0B503B58B025862D66B02B73\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{9f32b55f-6fdf-5f98-7000-000000000500}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e4212\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -20599,7 +21302,7 @@
"name": "DESKTOP-I9CQVAQ"
},
"event": {
- "ingested": "2021-05-06T11:45:02.304292300Z",
+ "ingested": "2021-06-01T09:52:58.851597400Z",
"code": "25",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e25\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e25\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T14:43:23.551269400Z'/\u003e\u003cEventRecordID\u003e10737797\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='5080'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 14:43:23.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-b78b-6037-6f13-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2628\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe\u003c/Data\u003e\u003cData Name='Type'\u003eImage is replaced\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -20673,7 +21376,7 @@
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304297500Z",
+ "ingested": "2021-06-01T09:52:58.851602400Z",
"code": "23",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-12T06:48:27.084044200Z'/\u003e\u003cEventRecordID\u003e2243\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1188' ThreadID='1600'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-12 06:48:27.084\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-4664-5eba-91ae-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e820\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -20767,7 +21470,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.304302300Z",
+ "ingested": "2021-06-01T09:52:58.851608500Z",
"code": "7",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e7\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e7\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-28T02:39:26.388325200Z'/\u003e\u003cEventRecordID\u003e10685\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1676' ThreadID='4796'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-28 02:39:26.374\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-d9de-5f98-f006-000000000600}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5184\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\dllhost.exe\u003c/Data\u003e\u003cData Name='ImageLoaded'\u003eC:\\Windows\\System32\\IDStore.dll\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.1 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eIdentity Store\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eIdStore.dll\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=9955A1C071C44A7CEECC0D928A9CFB7F64CC3F93,MD5=C7C45610F644906E6F7D664EF2E45B08,SHA256=4808F1101F4E42387D8DDB7A355668BAE3BF6F781C42D3BCD82E23446B1DEB3E,IMPHASH=194F3797B52231028C718B6D776C6853\u003c/Data\u003e\u003cData Name='Signed'\u003etrue\u003c/Data\u003e\u003cData Name='Signature'\u003eMicrosoft Windows\u003c/Data\u003e\u003cData Name='SignatureStatus'\u003eValid\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -20827,7 +21530,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.304306400Z",
+ "ingested": "2021-06-01T09:52:58.851617100Z",
"code": "13",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818869100Z'/\u003e\u003cEventRecordID\u003e2691\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -20899,7 +21602,7 @@
"name": "DESKTOP-I9CQVAQ"
},
"event": {
- "ingested": "2021-05-06T11:45:02.304311600Z",
+ "ingested": "2021-06-01T09:52:58.851622700Z",
"code": "24",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e24\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e24\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T15:04:48.607343500Z'/\u003e\u003cEventRecordID\u003e10757412\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='6444'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 15:04:48.592\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-aa1b-602f-a600-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2144\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\u003c/Data\u003e\u003cData Name='Session'\u003e1\u003c/Data\u003e\u003cData Name='ClientInfo'\u003euser: DESKTOP-I9CQVAQ\\luks\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=7ADB1CF1A75973079C055F929573AE92557A8C0E5B0E38A6A5427E412FB73D59,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -20957,7 +21660,7 @@
"level": "information"
},
"event": {
- "ingested": "2021-05-06T11:45:02.304316900Z",
+ "ingested": "2021-06-01T09:52:58.851628800Z",
"code": "2",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e32\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.339\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
@@ -21077,11 +21780,17 @@
"c.urs.microsoft.com"
],
"ip": [
- "_ingest._value"
+ "40.121.17.79",
+ "192.5.6.30",
+ "2001:503:a83e::2:30",
+ "192.33.14.30",
+ "2001:503:231d::2:30",
+ "192.26.92.30",
+ "2001:503:83eb::30"
]
},
"event": {
- "ingested": "2021-05-06T11:45:02.304321100Z",
+ "ingested": "2021-06-01T09:52:58.851634200Z",
"code": "22",
"original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:40.121.17.79;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
"provider": "Microsoft-Windows-Sysmon",
diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/system/test-default-config.yml b/packages/windows/data_stream/sysmon_operational/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..dfa8f5c9201
--- /dev/null
+++ b/packages/windows/data_stream/sysmon_operational/_dev/test/system/test-default-config.yml
@@ -0,0 +1,9 @@
+input: httpjson
+service: splunk-mock
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ username: test
+ password: test
+data_stream:
+ vars:
+ preserve_original_event: true
diff --git a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml
index 5b5c93a79bc..4af763c7e73 100644
--- a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml
@@ -841,8 +841,9 @@ processors:
processor:
append:
field: related.ip
- value: _ingest._value
+ value: "{{_ingest._value}}"
allow_duplicates: false
+ ignore_failure: true
- community_id:
ignore_failure: true
ignore_missing: false
diff --git a/packages/windows/data_stream/sysmon_operational/fields/base-fields.yml b/packages/windows/data_stream/sysmon_operational/fields/base-fields.yml
index a9a65458fc5..780043c0f6e 100644
--- a/packages/windows/data_stream/sysmon_operational/fields/base-fields.yml
+++ b/packages/windows/data_stream/sysmon_operational/fields/base-fields.yml
@@ -19,3 +19,8 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: tags
+ description: List of keywords used to tag each event.
+ example: '["production", "env2"]'
+ ignore_above: 1024
+ type: keyword
diff --git a/packages/windows/data_stream/sysmon_operational/fields/beats.yml b/packages/windows/data_stream/sysmon_operational/fields/beats.yml
new file mode 100644
index 00000000000..3c48f1f224f
--- /dev/null
+++ b/packages/windows/data_stream/sysmon_operational/fields/beats.yml
@@ -0,0 +1,3 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
diff --git a/packages/windows/data_stream/sysmon_operational/sample_event.json b/packages/windows/data_stream/sysmon_operational/sample_event.json
new file mode 100644
index 00000000000..0c3c149e4a9
--- /dev/null
+++ b/packages/windows/data_stream/sysmon_operational/sample_event.json
@@ -0,0 +1,124 @@
+{
+ "@timestamp": "2019-07-18T03:34:01.261Z",
+ "agent": {
+ "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b",
+ "hostname": "docker-fleet-agent",
+ "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.13.0"
+ },
+ "data_stream": {
+ "dataset": "windows.sysmon_operational",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "dns": {
+ "answers": [
+ {
+ "data": "www-msn-com.a-0003.a-msedge.net",
+ "type": "CNAME"
+ },
+ {
+ "data": "a-0003.a-msedge.net",
+ "type": "CNAME"
+ },
+ {
+ "data": "204.79.197.203",
+ "type": "A"
+ }
+ ],
+ "question": {
+ "name": "www.msn.com",
+ "registered_domain": "msn.com",
+ "subdomain": "www",
+ "top_level_domain": "com"
+ },
+ "resolved_ip": [
+ "204.79.197.203"
+ ]
+ },
+ "ecs": {
+ "version": "1.9.0"
+ },
+ "elastic_agent": {
+ "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322",
+ "snapshot": true,
+ "version": "7.13.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "22",
+ "created": "2019-07-18T03:34:02.025Z",
+ "dataset": "windows.sysmon_operational",
+ "ingested": "2021-06-01T10:25:35.382586400Z",
+ "kind": "event",
+ "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
+ "provider": "Microsoft-Windows-Sysmon",
+ "type": [
+ "connection",
+ "protocol",
+ "info"
+ ]
+ },
+ "host": {
+ "name": "vagrant-2016"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "log": {
+ "level": "information"
+ },
+ "network": {
+ "protocol": "dns"
+ },
+ "process": {
+ "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}",
+ "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
+ "name": "iexplore.exe",
+ "pid": 2736
+ },
+ "related": {
+ "hosts": [
+ "www-msn-com.a-0003.a-msedge.net",
+ "a-0003.a-msedge.net",
+ "www.msn.com"
+ ],
+ "ip": [
+ "204.79.197.203"
+ ]
+ },
+ "sysmon": {
+ "dns": {
+ "status": "SUCCESS"
+ }
+ },
+ "tags": [
+ "forwarded"
+ ],
+ "user": {
+ "id": "S-1-5-18"
+ },
+ "winlog": {
+ "channel": "Microsoft-Windows-Sysmon/Operational",
+ "computer_name": "vagrant-2016",
+ "event_id": "22",
+ "opcode": "Info",
+ "process": {
+ "pid": 2828,
+ "thread": {
+ "id": 1684
+ }
+ },
+ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+ "provider_name": "Microsoft-Windows-Sysmon",
+ "record_id": "67",
+ "user": {
+ "identifier": "S-1-5-18"
+ },
+ "version": 5
+ }
+}
\ No newline at end of file
diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md
index 5a20d5c4bf3..85664a45fc5 100644
--- a/packages/windows/docs/README.md
+++ b/packages/windows/docs/README.md
@@ -133,6 +133,93 @@ channel specific datasets.
The Windows `powershell` dataset provides events from the Windows
`Windows PowerShell` event log.
+An example event for `powershell` looks as following:
+
+```json
+{
+ "@timestamp": "2020-05-13T13:21:43.183Z",
+ "agent": {
+ "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b",
+ "hostname": "docker-fleet-agent",
+ "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.13.0"
+ },
+ "data_stream": {
+ "dataset": "windows.powershell",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "1.9.0"
+ },
+ "elastic_agent": {
+ "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322",
+ "snapshot": true,
+ "version": "7.13.0"
+ },
+ "event": {
+ "category": "process",
+ "code": "600",
+ "created": "2021-06-01T10:23:48.533Z",
+ "dataset": "windows.powershell",
+ "ingested": "2021-06-01T10:23:49.554043100Z",
+ "kind": "event",
+ "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
+ "provider": "PowerShell",
+ "sequence": 35,
+ "type": "info"
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "log": {
+ "level": "information"
+ },
+ "powershell": {
+ "engine": {
+ "version": "5.1.17763.1007"
+ },
+ "pipeline_id": "15",
+ "process": {
+ "executable_version": "5.1.17763.1007"
+ },
+ "provider": {
+ "name": "Certificate",
+ "new_state": "Started"
+ },
+ "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9"
+ },
+ "process": {
+ "args": [
+ "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
+ "C:\\Users\\vagrant\\Desktop\\lateral.ps1"
+ ],
+ "args_count": 2,
+ "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1",
+ "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206",
+ "title": "Windows PowerShell ISE Host"
+ },
+ "tags": [
+ "forwarded"
+ ],
+ "winlog": {
+ "channel": "Windows PowerShell",
+ "computer_name": "vagrant",
+ "event_id": "600",
+ "keywords": [
+ "Classic"
+ ],
+ "provider_name": "PowerShell",
+ "record_id": "1089"
+ }
+}
+```
+
**Exported fields**
| Field | Description | Type |
@@ -183,7 +270,7 @@ The Windows `powershell` dataset provides events from the Windows
| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
| host.ip | Host ip addresses. | ip |
| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.name | Name of the host. | keyword |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
@@ -192,6 +279,7 @@ The Windows `powershell` dataset provides events from the Windows
| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
| host.os.version | Operating system version as a raw string. | keyword |
| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
| log.level | Original log level of the log event. | keyword |
| powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array |
| powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword |
@@ -375,6 +463,86 @@ The Windows `powershell` dataset provides events from the Windows
The Windows `powershell_operational` dataset provides events from the Windows
`Microsoft-Windows-PowerShell/Operational` event log.
+An example event for `powershell_operational` looks as following:
+
+```json
+{
+ "@timestamp": "2020-05-13T09:04:04.755Z",
+ "agent": {
+ "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b",
+ "hostname": "docker-fleet-agent",
+ "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.13.0"
+ },
+ "data_stream": {
+ "dataset": "windows.powershell_operational",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "1.9.0"
+ },
+ "elastic_agent": {
+ "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322",
+ "snapshot": true,
+ "version": "7.13.0"
+ },
+ "event": {
+ "category": "process",
+ "code": "4105",
+ "created": "2021-06-01T10:24:43.254Z",
+ "dataset": "windows.powershell_operational",
+ "ingested": "2021-06-01T10:24:44.277129100Z",
+ "kind": "event",
+ "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
+ "provider": "Microsoft-Windows-PowerShell",
+ "type": "start"
+ },
+ "host": {
+ "name": "vagrant"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "log": {
+ "level": "verbose"
+ },
+ "powershell": {
+ "file": {
+ "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9"
+ },
+ "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623"
+ },
+ "tags": [
+ "forwarded"
+ ],
+ "user": {
+ "id": "S-1-5-21-1350058589-2282154016-2764056528-1000"
+ },
+ "winlog": {
+ "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}",
+ "channel": "Microsoft-Windows-PowerShell/Operational",
+ "computer_name": "vagrant",
+ "event_id": "4105",
+ "process": {
+ "pid": 4204,
+ "thread": {
+ "id": 1476
+ }
+ },
+ "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
+ "provider_name": "Microsoft-Windows-PowerShell",
+ "record_id": "790",
+ "user": {
+ "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000"
+ },
+ "version": 1
+ }
+}
+```
+
**Exported fields**
| Field | Description | Type |
@@ -425,7 +593,7 @@ The Windows `powershell_operational` dataset provides events from the Windows
| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
| host.ip | Host ip addresses. | ip |
| host.mac | Host mac addresses. | keyword |
-| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.name | Name of the host. | keyword |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
@@ -434,6 +602,7 @@ The Windows `powershell_operational` dataset provides events from the Windows
| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
| host.os.version | Operating system version as a raw string. | keyword |
| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
| log.level | Original log level of the log event. | keyword |
| powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array |
| powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword |
@@ -617,6 +786,135 @@ The Windows `powershell_operational` dataset provides events from the Windows
The Windows `sysmon_operational` dataset provides events from the Windows
`Microsoft-Windows-Sysmon/Operational` event log.
+An example event for `sysmon_operational` looks as following:
+
+```json
+{
+ "@timestamp": "2019-07-18T03:34:01.261Z",
+ "agent": {
+ "ephemeral_id": "6d6bb3f5-f905-4ee5-8bee-c719616f8b6b",
+ "hostname": "docker-fleet-agent",
+ "id": "6fe85b08-7c10-4f55-ba4e-eeb75fdd6fdf",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.13.0"
+ },
+ "data_stream": {
+ "dataset": "windows.sysmon_operational",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "dns": {
+ "answers": [
+ {
+ "data": "www-msn-com.a-0003.a-msedge.net",
+ "type": "CNAME"
+ },
+ {
+ "data": "a-0003.a-msedge.net",
+ "type": "CNAME"
+ },
+ {
+ "data": "204.79.197.203",
+ "type": "A"
+ }
+ ],
+ "question": {
+ "name": "www.msn.com",
+ "registered_domain": "msn.com",
+ "subdomain": "www",
+ "top_level_domain": "com"
+ },
+ "resolved_ip": [
+ "204.79.197.203"
+ ]
+ },
+ "ecs": {
+ "version": "1.9.0"
+ },
+ "elastic_agent": {
+ "id": "6bdfe1ae-64c3-4177-8b0c-2380a6e01322",
+ "snapshot": true,
+ "version": "7.13.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "22",
+ "created": "2019-07-18T03:34:02.025Z",
+ "dataset": "windows.sysmon_operational",
+ "ingested": "2021-06-01T10:25:35.382586400Z",
+ "kind": "event",
+ "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e",
+ "provider": "Microsoft-Windows-Sysmon",
+ "type": [
+ "connection",
+ "protocol",
+ "info"
+ ]
+ },
+ "host": {
+ "name": "vagrant-2016"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "log": {
+ "level": "information"
+ },
+ "network": {
+ "protocol": "dns"
+ },
+ "process": {
+ "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}",
+ "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
+ "name": "iexplore.exe",
+ "pid": 2736
+ },
+ "related": {
+ "hosts": [
+ "www-msn-com.a-0003.a-msedge.net",
+ "a-0003.a-msedge.net",
+ "www.msn.com"
+ ],
+ "ip": [
+ "204.79.197.203"
+ ]
+ },
+ "sysmon": {
+ "dns": {
+ "status": "SUCCESS"
+ }
+ },
+ "tags": [
+ "forwarded"
+ ],
+ "user": {
+ "id": "S-1-5-18"
+ },
+ "winlog": {
+ "channel": "Microsoft-Windows-Sysmon/Operational",
+ "computer_name": "vagrant-2016",
+ "event_id": "22",
+ "opcode": "Info",
+ "process": {
+ "pid": 2828,
+ "thread": {
+ "id": 1684
+ }
+ },
+ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+ "provider_name": "Microsoft-Windows-Sysmon",
+ "record_id": "67",
+ "user": {
+ "identifier": "S-1-5-18"
+ },
+ "version": 5
+ }
+}
+```
+
**Exported fields**
| Field | Description | Type |
@@ -715,6 +1013,7 @@ The Windows `sysmon_operational` dataset provides events from the Windows
| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
| host.os.version | Operating system version as a raw string. | keyword |
| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
| log.level | Original log level of the log event. | keyword |
| message | For log events the message field contains the log message, optimized for viewing in a log viewer. | text |
| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. | keyword |
@@ -768,6 +1067,7 @@ The Windows `sysmon_operational` dataset provides events from the Windows
| sysmon.dns.status | Windows status code returned for the DNS query. | keyword |
| sysmon.file.archived | Indicates if the deleted file was archived. | boolean |
| sysmon.file.is_executable | Indicates if the deleted file was an executable. | boolean |
+| tags | List of keywords used to tag each event. | keyword |
| user.domain | Name of the directory the user is a member of. | keyword |
| user.id | Unique identifier of the user. | keyword |
| user.name | Short name or login of the user. | keyword |
diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml
index 532bb44b9a3..81ce32d405a 100644
--- a/packages/windows/manifest.yml
+++ b/packages/windows/manifest.yml
@@ -1,6 +1,6 @@
name: windows
title: Windows
-version: 0.8.1
+version: 0.8.2
description: Windows Integration
type: integration
categories: