From 97f4971dcf5d6e458db02c3eec64841a8e2e897e Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Thu, 23 Mar 2023 17:04:42 +0530 Subject: [PATCH] Support multiple IPs in aip & add more fields (#5655) --- .../deploy/docker/sample_logs/fdr-sample.log | 1 + packages/crowdstrike/changelog.yml | 5 + .../fdr/_dev/test/pipeline/test-fdr.log | 2 + .../test/pipeline/test-fdr.log-expected.json | 1187 +++++++++++++---- .../elasticsearch/ingest_pipeline/default.yml | 77 +- .../data_stream/fdr/fields/fields.yml | 26 + .../data_stream/fdr/sample_event.json | 18 +- packages/crowdstrike/docs/README.md | 31 +- packages/crowdstrike/manifest.yml | 2 +- 9 files changed, 1064 insertions(+), 285 deletions(-) diff --git a/packages/crowdstrike/_dev/deploy/docker/sample_logs/fdr-sample.log b/packages/crowdstrike/_dev/deploy/docker/sample_logs/fdr-sample.log index 0d410547d63..c91a3d3b7b4 100644 --- a/packages/crowdstrike/_dev/deploy/docker/sample_logs/fdr-sample.log +++ b/packages/crowdstrike/_dev/deploy/docker/sample_logs/fdr-sample.log @@ -122,3 +122,4 @@ {"AuthenticationId":"703298","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2642284486","ContextProcessId":"1161025471861","ContextThreadId":"34929528116709","ContextTimeStamp":"1604851030.593","DiskParentDeviceInstanceId":"USB\\VID_1058\u0026PID_2621\\57583431453939315A4C5255","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"262fbc677256cf4c8d6c6a227285a072c06830873b000000","FileObject":"18446664963104449168","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"1","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"517029","TargetFileName":"\\Device\\HarddiskVolume5\\01.png.tmp$$","TokenType":"1","UserName":"user9","aid":"ffffffff16bf4c7bb5ad755a4722025c","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"GenericFileWritten","id":"ffffffff-1111-11eb-800a-06cecfd73923","name":"GenericFileWrittenV11","timestamp":"1604851031298"} {"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":"1604850899.164","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812"} {"ConfigBuild":"1007.4.0009906.1","ConfigStateHash":"3429017943","ContextProcessId":"66426035996442255","ContextTimeStamp":"1604851098.548","Entitlements":"15","aid":"ffffffff899541b94b9adff8922aa70a","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"FirewallDisabled","id":"ffffffff-1111-11eb-9d4c-02f402df8c1f","name":"FirewallDisabledMacV1","timestamp":"1604851040625"} +{"ComputerName":"HQ-sadhkbasHS","CurrentLocalIP":"67.43.156.13","FirstDiscoveredDate":"1669625277.827","LastDiscoveredBy":"c1b74438660b44cfa93e24c9d44badab","LocalAddressIP4":"67.43.156.13","MAC":"AA-AA-AA-AA-AA-AA","MACPrefix":"AA-AA-AA","NeighborName":"!!!!UNKNOWN!!!!","__mv_LocalAddressIP4":"","__mv_aip":"$67.43.156.14$;$67.43.156.13$","__mv_discoverer_aid":"$4b8f58d3f5f040b3804d3820ca2aed67$;$c1b74438660b44cfa93e24c9d44badab$","__mv_discoverer_devicetype":"","_time":"1678931820.343","aip":"67.43.156.13 67.43.156.14 81.2.69.192","aipCount":"3","cid":"500c5073b4d7443688f4b32c5eeb295b","discovererCount":"2","discoverer_aid":"4b8f58d3f5f040b3804d3820ca2aed67 c1b74438660b44cfa93e24c9d44badab","discoverer_devicetype":"","localipCount":"1","subnet":"10.0"} diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 9994c11c721..f99de756dda 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.11.1" + changes: + - description: Multiple IPs in `aip` field and add new fields + type: bugfix + link: https://github.com/elastic/integrations/pull/5655 - version: "1.11.0" changes: - description: Support `max_number_of_messages` in SQS mode diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log index 2fd2fe27450..d906f160ab4 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log @@ -126,3 +126,5 @@ {"AuthenticationId":"317005428","AuthenticationPackage":"Negotiate","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3950066843","EffectiveTransmissionClass":"2","Entitlements":"15","LogoffTime":"1604855132.756","LogonDomain":"dom1","LogonServer":"srv2","LogonTime":"1604855131.666","LogonType":"7","PasswordLastSet":"1598119332.510","RemoteAccount":"1","UserFlags":"32","UserIsAdmin":"0","UserLogoffType":"3","UserLogonFlags":"0","UserName":"user4","UserPrincipal":"user.name@dom2.com","UserSid":"S-1-5-21-606747145-1364589140-725345543-28636","aid":"ffffffffe0104823bd3de859d5bc8bc7","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogoff","id":"ffffffff-1111-11eb-8913-0287fd11c79b","name":"UserLogoffV3","UTCTimestamp":"1604855134461"} {"ProcessCreateFlags":"1024","IntegrityLevel":"8192","ParentProcessId":"434985540832797032","SourceProcessId":"434985540832797032","aip":"89.160.20.120","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-4084637156-299436391-3671333128-115430","event_platform":"Win","TokenType":"2","ProcessEndTime":"","ParentBaseFileName":"EmUser.exe","ImageSubsystem":"2","id":"9686a6b3-1d39-11ed-9370-0660bfa16adf","EffectiveTransmissionClass":"3","SessionId":"1","Tags":"25, 27, 862, 874, 924, 12094627905582, 12094627906234","timestamp":"1660636869410","event_simpleName":"ProcessRollup2","RawProcessId":"6108","ConfigStateHash":"518095218","MD5HashData":"e570911fc2ab74ecf0dc59f324318f6e","SHA256HashData":"f470180a4f67ebd944570b3eaf040caa8c0713252c6228e60c413714375ccfe2","ProcessSxsFlags":"64","AuthenticationId":"29530993","ConfigBuild":"1007.3.0015103.1","CommandLine":"\"C:\\Program Files\\nirsoft\\SoundVolumeView.exe\" /SetDefault \"Teradici Virtual Audio Driver\\device\\speakers\\\" all","ParentAuthenticationId":"29530993","TargetProcessId":"434985669758362104","ImageFileName":"\\Device\\HarddiskVolume3\\Program Files\\NirSoft\\SoundVolumeView.exe","SourceThreadId":"434985668331321297","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1660636868.576","ProcessParameterFlags":"24577","aid":"50deaa55144543089a1f463b568cdc53","cid":"1301ac65ae144fbb9689a8472f828c2e"} {"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":133145666190000000,"EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812","StartTime":133145665200000000,"EndTime":133145665200000000} +{"ComputerName":"HQ-sadhkbasHS","CurrentLocalIP":"67.43.156.13","FirstDiscoveredDate":"1669625277.827","LastDiscoveredBy":"c1b74438660b44cfa93e24c9d44badab","LocalAddressIP4":"67.43.156.13","MAC":"AA-AA-AA-AA-AA-AA","MACPrefix":"AA-AA-AA","NeighborName":"!!!!UNKNOWN!!!!","__mv_LocalAddressIP4":"","__mv_aip":"$67.43.156.14$;$67.43.156.13$","__mv_discoverer_aid":"$4b8f58d3f5f040b3804d3820ca2aed67$;$c1b74438660b44cfa93e24c9d44badab$","__mv_discoverer_devicetype":"","_time":"1678931820.343","aip":"67.43.156.13 67.43.156.14 81.2.69.192","aipCount":"3","cid":"500c5073b4d7443688f4b32c5eeb295b","discovererCount":"2","discoverer_aid":"4b8f58d3f5f040b3804d3820ca2aed67 c1b74438660b44cfa93e24c9d44badab","discoverer_devicetype":"","localipCount":"1","subnet":"10.0"} +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":"","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812","StartTime":133145665200000000,"EndTime":133145665200000000} \ No newline at end of file diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json index 82491baf1ad..f570e2aa5ba 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json @@ -35,7 +35,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -45,7 +47,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffa63e404bba4bff7465ab3afb", "type": "agent", "vendor": "crowdstrike", @@ -137,7 +141,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -147,7 +153,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff3c0846978560dbc0048d6555", "type": "agent", "vendor": "crowdstrike", @@ -231,7 +239,9 @@ "transport": "udp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -241,7 +251,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffc59c473aa7fcbbe7438082cb", "type": "agent", "vendor": "crowdstrike", @@ -316,7 +328,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -326,7 +340,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff59fe460783ea45d59e417d6f", "type": "agent", "vendor": "crowdstrike", @@ -415,7 +431,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -425,7 +443,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffe1ad47b6b5b44ae9151a6cf3", "type": "agent", "vendor": "crowdstrike", @@ -487,7 +507,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -497,7 +519,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff8be84591864008eb2e484920", "type": "agent", "vendor": "crowdstrike", @@ -608,7 +632,9 @@ "transport": "udp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -618,7 +644,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff5a2e420c99f6b6d3a5d9de9b", "type": "agent", "vendor": "crowdstrike", @@ -695,7 +723,9 @@ "transport": "udp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -705,7 +735,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff01fc49949cf06bf0bce3c010", "type": "agent", "vendor": "crowdstrike", @@ -794,7 +826,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -804,7 +838,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff083845f68a7de3d95cb34361", "type": "agent", "vendor": "crowdstrike", @@ -877,7 +913,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -887,7 +925,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffcf45409f87ed463b40c368ec", "type": "agent", "vendor": "crowdstrike", @@ -989,7 +1029,9 @@ "transport": "udp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -999,7 +1041,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff5a2e420c99f6b6d3a5d9de9b", "type": "agent", "vendor": "crowdstrike", @@ -1070,7 +1114,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -1080,7 +1126,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff20bd481a98a3d1f6191047ff", "type": "agent", "vendor": "crowdstrike", @@ -1166,7 +1214,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -1176,7 +1226,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffffbd064538b214ab0dce8e82c3", "type": "agent", "vendor": "crowdstrike", @@ -1247,7 +1299,9 @@ "original": "{\"ChannelVersion\":\"0\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"1156120155\",\"ChannelDiffStatus\":\"1\",\"aip\":\"67.43.156.14\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"12\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"name\":\"ChannelVersionRequiredLinV2\",\"id\":\"ffffffff-1111-11eb-b7e0-02332cdcc16d\",\"ErrorCode\":\"0\",\"aid\":\"ffffffff25b14d4aa96de99e24bad2fa\",\"timestamp\":\"1625677493974\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -1257,7 +1311,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff25b14d4aa96de99e24bad2fa", "type": "agent", "vendor": "crowdstrike", @@ -1314,7 +1370,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -1324,7 +1382,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffc9114c1898e79604708955a6", "type": "agent", "vendor": "crowdstrike", @@ -1391,7 +1451,9 @@ "original": "{\"ChannelVersion\":\"0\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"1620585913\",\"ChannelDiffStatus\":\"1\",\"aip\":\"67.43.156.13\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"210\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ChannelVersionRequiredMacV2\",\"id\":\"ffffffff-1111-11eb-8cc5-02c6fb049dd3\",\"ErrorCode\":\"0\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff2d7b4778a73b2cf58d327e42\",\"timestamp\":\"1625677480455\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -1401,7 +1463,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff2d7b4778a73b2cf58d327e42", "type": "agent", "vendor": "crowdstrike", @@ -1459,7 +1523,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -1469,7 +1535,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "fffffffff6e146908cbf31d72b94b626", "type": "agent", "vendor": "crowdstrike", @@ -1531,7 +1599,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -1541,7 +1611,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff083845f68a7de3d95cb34361", "type": "agent", "vendor": "crowdstrike", @@ -1626,7 +1698,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -1636,7 +1710,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff96f142f6b2475f3c584ddd80", "type": "agent", "vendor": "crowdstrike", @@ -1710,7 +1786,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -1720,7 +1798,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff7ecf4e61bba14ca5ac5d17b1", "type": "agent", "vendor": "crowdstrike", @@ -1789,7 +1869,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -1799,7 +1881,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffbea440b9aad8b5bf222d303f", "type": "agent", "vendor": "crowdstrike", @@ -1860,7 +1944,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -1870,7 +1956,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffbfbf4ff5aa56a26ad3c1a942", "type": "agent", "vendor": "crowdstrike", @@ -1948,7 +2036,9 @@ "type": "dir" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -1958,7 +2048,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff24db47799d1a85aae61dc7bc", "type": "agent", "vendor": "crowdstrike", @@ -2050,7 +2142,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -2060,7 +2154,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff58de4e748d9f64c85a9b49e6", "type": "agent", "vendor": "crowdstrike", @@ -2164,7 +2260,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -2174,7 +2272,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff8eca418b7a861be9c5f7de1d", "type": "agent", "vendor": "crowdstrike", @@ -2237,7 +2337,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -2247,7 +2349,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff190e436aaebc3892bcda5beb", "type": "agent", "vendor": "crowdstrike", @@ -2321,7 +2425,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -2331,7 +2437,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "type": "agent", "vendor": "crowdstrike", @@ -2416,7 +2524,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -2426,7 +2536,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff0ad7494e8e817b3903f4eebb", "type": "agent", "vendor": "crowdstrike", @@ -2508,7 +2620,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -2518,7 +2632,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff23d24c4193ffa6f270775ee5", "type": "agent", "vendor": "crowdstrike", @@ -2588,7 +2704,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -2598,7 +2716,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffa7bf46da689501ce58bd6987", "type": "agent", "vendor": "crowdstrike", @@ -2658,7 +2778,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -2668,7 +2790,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "fffffffffc2c4e4fa9c08e1a8388e5f9", "type": "agent", "vendor": "crowdstrike", @@ -2731,7 +2855,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -2741,7 +2867,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "type": "agent", "vendor": "crowdstrike", @@ -2796,7 +2924,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -2806,7 +2936,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "type": "agent", "vendor": "crowdstrike", @@ -2869,7 +3001,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -2879,7 +3013,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff5ae3449ab33a1809fe6c5ce2", "type": "agent", "vendor": "crowdstrike", @@ -2963,7 +3099,9 @@ "transport": "udp" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -2973,7 +3111,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff335f47ca89cad6a19f203bbd", "type": "agent", "vendor": "crowdstrike", @@ -3042,7 +3182,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -3052,7 +3194,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffa74a4c89b9984a3a7124bb9d", "type": "agent", "vendor": "crowdstrike", @@ -3108,7 +3252,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -3118,7 +3264,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff0cd64fb78626ab1b6c65ac8c", "type": "agent", "vendor": "crowdstrike", @@ -3183,7 +3331,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -3193,7 +3343,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffabd047b1a86c1fcd8ef22b59", "type": "agent", "vendor": "crowdstrike", @@ -3276,7 +3428,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -3286,7 +3440,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffa15a452190ae454f7d33e07e", "type": "agent", "vendor": "crowdstrike", @@ -3341,7 +3497,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -3351,7 +3509,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffaa0e47a1b009aef151d6179d", "type": "agent", "vendor": "crowdstrike", @@ -3404,7 +3564,9 @@ "original": "{\"ChannelVersion\":\"25\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"3155796140\",\"aip\":\"67.43.156.14\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"20\",\"ConfigBuild\":\"1007.8.0011110.1\",\"event_platform\":\"Lin\",\"name\":\"ChannelVersionRequiredLinV1\",\"id\":\"ffffffff-1111-11eb-b411-06baeacb7a63\",\"aid\":\"ffffffff67d54f7daf3d998ffc74d48e\",\"timestamp\":\"1625677507901\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -3414,7 +3576,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff67d54f7daf3d998ffc74d48e", "type": "agent", "vendor": "crowdstrike", @@ -3472,7 +3636,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -3482,7 +3648,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffe22549479fbe8293b6747a68", "type": "agent", "vendor": "crowdstrike", @@ -3563,7 +3731,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -3573,7 +3743,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "type": "agent", "vendor": "crowdstrike", @@ -3637,7 +3809,9 @@ "original": "{\"FeatureVector\":\"000000527b2276223a22312e30222c226e223a352c226c223a3235362c2265223a7b2261223a5b31363737373232332c31363737373232332c31363737373232332c31363737373232332c31363737373232335d7d7d3f48793e3f6837b53f276c8b3ef8d4fe3f036e2f3fdb404f3e361134404d8c7e3df27bb33ef837b53faa57a83e752546402e6b513eb8e2193f5e63203e1446743f295e9e401fb7e93fe010623f90be0e3f6f837b3e7333333f3951833f33afb83e3f62b73e1893753f1b851f3ea752543e9333333ed446743f045a1d40889ba64065d2f2ad9a1b883f573eab3dd773193ed254613f3f3b643eedab9f3f579a6b4082b5dd3f92d42c3e8809d54040fcf83f90a71e40d717593e832ca53e19e83e3b4b295f3f64c2f83f8a9d1f3f27fcb93f088ce73e7333333de944673e81d7dc3f2db22d3e90cb293e2ca57a3e22b6ae3e843fe63f44fdf43f0573eb3ecbc6a83c648e8a3ceb1c433d16c6153c0d4fdf3d0529353e08ce703c2d81ae3f0809d53b69a2c63b7b43d93ded91683ba90cd43e2f9db23b6e28673d646499bb84406c3c0bd6623ea809d53edfb15b3dcc73acbc188d2a3c20cae63d390eaa3d148fda398cfb263b872b023d4d2b2c3a19c60fbc58ec963af9b13139f75bed3f687fcc3f105bc0ae9de3cf3cfb15b53a5dcccfbc2398203c9f40a3ba91e2153d0ec95c3f7e00d23dd048173c13b7d83f3404ea3ef06f69400392643c4dc8753b1f9485bb875d573cdebd903e1a9fbe3be83a113b1528f23c9279143c40053e3b62089e3d06ec183d16e58aba9c7ffe3b30c0273c3cbe623cc9eecc3b1e55c1ba25558f35192b55bcba493d357b1f123422c77e35700fd4349540073385f5c53562b199363180c1bbb5f5f133702cb134553ec134453f1234dfedcabba8e2e3bc4df26734da8f6636e51c133592f7ea34116278be173eabbc11ea79bbb3d4ae3574e4c733a4bbc53046530d34fd74ee330432f8bcf212d7bbaf3e47bc46690534a8a19335420670af1ab38734cdff54338e0e59bd23ad1934a8bd10bd2bb44e3433be90390220d73590265c3481ec3abb7701543b3e1eb437841ede333ede4c31d582ecbc195ee13510b6ab35ab6563b85ae696bcc582563510d9083490265c319cda2abc8327673428415ebba593a3347763df2f713b9cbd14a4d33486ea69bca3ec033d58ec963dc523f63dba7daa3cab9f563d5c67e03e8425af3cdaf8df3f47381d3bab606b3d174e663e6b1c433c4710cb3f04d0143c9691a73e0a233a3bde2ac33d0240b83ee339c13f139c0f3e2fec573df34d6a3d00e6b03df1a9fc3d9fb3fa3b6629953c4100e73d89fe873c0811b23d2d2dcb3ce5de163d0a1dfc3fac816f3f5096bc2e0d65af3df559b43b38ae323cf6555c3d93c3613d78a0903de872b03eb439583e27ef9e3c1689443f7c8b443eb06f694010ce703cff822c3c2d81ae3b0e68e43db5e2043e6b367a3d355ef23d1b089a3c5898b33bd373b03c41d29e3decbfb13d8a0e413bd9dfdb3c2dab9f3d1fddec3dcdd2f23cd10f523ce9ccb83f4b2fec3f7119ce3f276c8b3ee831273f036e2f3fe58adb3e361134404d8c7e3df972473ef837b53faab3683e7f1412402f34d73eb8e2193f62339c3e1446743f2041894013e0df3fe010623f90be0e3f6f837b3e7333333f449ba63f30a3d73e3f62b73e1893753f1b851f3ee240b83e9333333ed446743f03d07d40889ba64065d2f2ad8f49d23f4fd8ae3dd14e3c3edde69b3f3e147b3ee5bc023f579a6b409780343f92d42c3e8809d540435f703f90a71e40d717593e832ca53e19b3d03cc13fd13f6374bc3f8a9d1f3f27fcb93f1cd35b3e7333333de388663e884b5e3f29999a3e90cb293e2305533e2147ae3e843fe63f4d013b3f056d5d3ebe28243c6703b03cf084623d14a4d33c093b7e3d05a7093e087fcc3c304ab63f08c7e33b6ad0c43b8893b83dec22683ba8e2e33e2c56d63b6cd8dc3d637de9bb849cb23c08e79b3ea6dc5d3ee00d1b3dcb923abc1fd36f3c1cf56f3d385c683d134acb398c098e3b872b023d4e075f3a108bd4bc564d7f3b029cfe399cd0863f6958103f10b780ae9e16793cf601793a58523cbc231e7e3c9eecc0ba8398a63d0fba883f7d63883dd254613c14c4483f349ba63ef0b0f24003aa263c49afe23b23d70abb875d573cde3fbc3e1a9fbe3bebcc6c3b19d0203c92641b3c402f303b62d1f23d0366513d1797ccba9f40a33b32c83f3c39a1773ccfe9b83b2276b8ba786f1235192b55bcb890d63573a8ab34a531f734c11ccb3495400732a151a8369df96936179953bbbc1f00340207b734553ec134b523e7352bd356bba8e2e3bc4df26733a7cdeb36e51c1335421b0e3515c299be173eabbc11e647bbb3d4ae328448f533aa5c213046530d357f25dd330432f8bcf290acbbae9ee4bc4669053496f7d534ede333af1ab38733a03ec7346522f2bd23ad19353fd9cfbd2bb44e3392336039250bbe34bb34f73618f0ecbb7701543c50e560356884d0330f9fab31d582ecbc19f5e03510b6ab34e35d66b85ac660bcc582563510d9083490265c3399a707bc84a0e43474d02abba593a3342f209630b98ae7bd11fb4033605e7dbc9e59f33d5f11733dc922533db943183ca5a46a3d5b42463e83bcd33cdd2f1b3f47fcb93bae3a3b3d1ceaf23e6978d53c4836653f03a29c3c9afe1e3e096bba3bde76423cfd4bf13ee1e4f73f1418933e2ee6323df1a9fc3cfe1da83df0d8453d9e7ea63b69f6a93c4083123d8a7c5b3c0266773d2e147b3ce978d53d08ce703facf41f3f510cb32e0d9dfa3df2b0213b2bd5dc3cf77af63d94ee393d782d383de978d53eb404ea3e288ce73c2209ab3f7c91d13eb0d8454010e2193cfc65413c2e53653b0ede553db674d13e6ae7d53d361bb03d1c23b83c579d0a3bd3176a3c4447c33dea161e3d8a67623bd477bc3c2f4f0e3d1e6eeb3dd07c853cd4e8fb3cded2893f42de013f6d4fdf3f276c8b3ee1e4f73f036e2f3fe58adb3e361134404d8c7e3df837b53ef18fc53faa57a83e781d7e402d53263eb8e2193f62339c3e1b089a3f204189400eb9f53fe010623f9395813f6a233a3e81ff2e3f41a9fc3f3013a93e2666663e17dbf53f1b851f3ec666663e9333333ed446743f0e560440889ba64065d2f2ad9a1b883f573eab3dd7a7873edde69b3f3f3b643eed42c43f6a30554087f62b3f92d42c3e83958140435f703f90a71e40d717593e832ca53e19ce073cd0917d3f6374bc3f8a9d1f3f26e9793f088ce73e7333333df34d6a3e8710cb3f34f7663ea20c4a3e1a02753e23bcd33e843fe63f3a36e33f0573eb3ec84b5e3c6685db3cef0ae53d17acc53c0b32cf3d05681f3e0831273c2ff6d33f0a29c73b6a9e6f3b88c60d3deecbfb3baa53fc3e2d91683b6c636b3d66d9bebb8533b13c0a0d353ea91d153ee275253dcc9d9dbc159e623c1d27c43d3ad18d3d145b6c3982b47b3b88051d3d4fe9b83a12e7cfbc579d0a3af0a5f0390a9f2b3f69db233f10b780ae9e5a073cfc26573a5a6b1bbc247ed03c9d7343ba9bb6aa3d0f66a53f7d49523dd35a863c151c5c3f35b5743ef1d14e40047f243c4d9e843b24095fbb87b99d3cdd82fd3e1c28f63beeae9f3b14812c3c91a75d3c40ad043b613f4b3d033c603d195033ba9d8c6d3b307d0b3c3d12453cd234ec3b25375dba904f6e35181195bcba493d35a2674934a531f7352bda363522229033be54dc337b157336151dabbbb5f5f1340207b7345d30d93421b49d34c2b91cbba8e2e3bc4df26733a7cdeb369116e13592f7ea34116278be173eabbc11e647bbb3d4ae328448f533b7f4153046530d359e3e2233d006d8bcf2cf96bbad9ad8bc466905351da01436249e38af17834033a03ec7346522f2bd1ddc1e35d36497bd2bb44e33bf0a47390220d734c2822235531fdebb73ba773c1888f8356884d0330f9fab31d533c2bc195ee135adf23935ab6563b85b06ccbcc84b5e3510d9083490265c33e590e6bc81450f33ce498bbba593a334d1f8602f713b9cbd1930be33605e7dbca3ec033d5d249e3dc85b183dbc115e3ca858793d5c33723e83afb83cdcc63f3f4916873bab47413d1cb6853e6b9f563c49320e3f03eab33c9afe1e3e0aa64c3bdfd6953cfac1d33ee3e4263f14af4f3e2f69443df3b6463cfeda663df2b0213d9faebc3b50678c3c4250723d8c00543c0151a43d2d0e563ce4f7663d0701113fad2bd43f5075f72e0e19d33df5f6fd3b2eb80f3cf487fd3d92e72e3d7842313de944673eb50b0f3e295e9e3c1fd36f3f7d6a163eb15b57401159b43d000a7c3c2d2dcb3b0ecd8e3db4e11e3e6c3c9f3d3adc0a3d1bb0603c52dcb13bd338f83c4100e73de9e1b13d8b53503bd6ece13c2cd9e83d201cd63dd1b7173cda12303cdc725c3f48793e3f6ded293f276c8b3f036e2f3f036e2f3fea0f913e361134404d8c7e3e0189373ef837b53fabc3613e7f62b7403012063eb79a6b3f5e63203e0d4fdf3f204189400de9e23fe010623f90be0e3f6a233a3e81ff2e3f3951833f30902e3e4275253e18793e3f1b851f3ee0f9093e9333333ed446743f045a1d40889ba64065d2f2ad9d19253f573eab3dc692f73ece21963f3f3b643eee2eb23f579a6b407e76c93f92d42c3e83958140435f703f90a71e40d717593e832ca53e25aee63cb7e9103f64c2f83f8a9d1f3f27fcb93f06a7f03e676c8b3de147ae3e884b5e3f27bb303e90cb293e3295ea3e21e4f73e81205c3f3fec573f0573eb3ebec56d3c633eff3cf1800a3d1389b53c0ac1903d0587943e06dc5d3c2efb2b3f095e9e3b67ddca3b80303c3dec8b443ba782903e30068e3b6bcc6c3d619b91bb836eb53c0bf7f03ea60aa63ee00d1b3dcc447cbc28c1553c1d55e73d36e2eb3d132b56399063903b8776813d4d7f0f3a15a1bdbc55cfab3b06f04a39c25a833f68f5c33f107c85ae9e10d83cf9335d3a594a8abc2276b83c9f16b1ba66e57d3d0e0c9e3f7dbf483dd1b7173c1435ad3f34bc6a3ef096bc4003689d3c49afe23b22fcf0bb87a8d63cde939f3e1aee633bedbb5a3b14f69d3c91e6473c402f303b64217d3d06cca33d183516ba9fe8683b33d4ae3c38f9b13cced9173b288f00ba5a42d7356eda97bcb9628d356e0c6f341b95cf341f3c6534ad5b0a32a151a8337b157335b2c72cbbb2852334900adf34553ec1346e5ee5347ab7febba8e2e3bc4df26733a7cdeb35cf19143592f7ea34c9a612be173eabbc11e647bbb3d4ae35219fff33b7f4153046530d348b7aa434677fadbcf290acbbaf2d80bc46690535a6b2cc3206f2a8af17834033a03ec7338e0e59bd1e83e435857ac3bd2bb44e33043df73927249d34bb34f735906b14bb780dc33c50e560361e0a98336f92c2320a0eb4bc19b2c435adf23935ab6563b85a4586bcc56d5d3510d9083490265c3399a707bc811b1e34cde3d7bba593a334aec0612fb676c6bd13be2333605e7dbca3ec033d59be4d3dc9667b3db83cf33ca7ef9e3d5c09813e8361133cdba0a53f485f073ba023213d191bc53e69fbe73c4059213f04dd2f3c9835163e0865953be38a7e3d0385c63ee1b08a3f142c3d3e2f9db23df0068e3cff6d333df06f693d9e7ea63b68fb013c4250723d8a4d2b3c0b007a3d2e924f3cea209b3d094c443faccccd3f50ded32e0d9dfa3df41f213b2dab9f3cf95d4f3d94a4d33d7991bc3de809d53eb532613e28db8c3c1afe1e3f7cd9e83eb0ff974010f0d83cfc3b4f3c2e53653b0ede553db6c3763e6bb98c3d35f1bf3d1a95423c53d85a3bcedd483c46bce83ded5cfb3d8ac0833bd0edc43c319a413d1e30013dd07c853cdcf0303ce243573f4ded293f69c77a3f13d70a3f036e2f3f036e2f3feaa3053e361134404d8c7e3df5c28f3ef02de03faa57a83e70d845402f5dcc3eb8e2193f62339c3df0068e3f204189400de9e23fe010623f90be0e3f6a233a3e7333333f4a85883f3318fc3e4000003e063f143f1b851f3ecb5dcc3e9333333ed446743f0e560440889ba64065d2f2ad8f49d23f573eab3dbeff193ed7f62b3f3f3b643eedab9f3f57d567409780343f9292a33e8395814041158c3f90a71e40d717593e832ca53e1a511a3c74c6e73f64c2f83f832cf93f26e9793f03a92a3e6872b03df34d6a3e884b5e3f3381d83ea20c4a3e1a02753e2353f83e825aee3f4d013b3f041f213ec240b83c6a4a8c3cf3a14d3d15b5743c091e213d059c8d3e08ce703c2f78ff3f0837b53b6a7ce13b815e393ded91683ba9cdc43e2d42c43b73dc053d6147aebb8438093c0a61173ea72b023edf559b3dcaff6dbc1bd4063c21fd153d39ffd63d128e0d398d4bad3b894c443d4f18013a195aafbc5773193af57f7339ce41413f6851ec3f0fec57ae9dfa533cfa58f73a5a0d27bc21943a3ca1dfb9ba5471063d0e56043f7dd2f23dd1b7173c14b3813f33dd983ef013a9400347d83c4ca2db3b245d42bb8733663ce243573e1b22d13bf47b673b0f32383c928e0d3c4059213b6304473d05143c3d176ddbba9aed573b3220793c3c6a7f3ccc4ef93b267621ba298e0334f8d6f4bcba493d35461af9342ca85e34c11ccb352222903385f5c5368e9b3935b2c72cbbb75ea6344cfa3134553ec134b523e734c2b91cbba8e2e3bc4df26734d636243705eeb9351ad56535332082be173eabbc11ea79bbb3d4ae35a82cc133a943c13046530d34fd74ee34677fadbcf27bb3bbad8a11bc4669053496f7d53580f4d6af1848493405e546338e0e59bd23ad193400bddcbd2bb44e33bf0a473927249d34c2822235531fdebb73ba773c626d4836cf4407330f9fab31d582ecbc1a027535b8af0035d13ed5b85ad11cbcc582563573cb0735d499d3319cda2abc8548aa3474d02abba593a3351ccb0c2f713b9cbd14a4d333605e7dbca3ec033d6108c43dc9e4503dba34443ca454de3d5a511a3e84816f3cdc09813f4773193bac3a863d1945b73e6b1c433c48de2b3f03e4263c9a415f3e08b4393bd8ba413d0073583ee1cac13f13a92a3e2e48e93df318fc3d0216c63df212d73d9d7dbf3b627e0f3c44ef893d8ba1f53c03e8573d2c9afe3ce5f30e3d0846203fac710d3f50c49c2e0d4f2a3df487fd3b306c443cf837b53d96ffc13d795d4f3de8db8c3eb4bc6a3e28a71e3c1fba453f7c56d63eb07c854010c63f3cfeb0753c3170503b0e68e43db977853e6bb98c3d3c7f783d19a4163c55f99c3bd1e96c3c4669053debb98c3d8a6ca03bde43ee3c2efb2b3d2007dd3dce075f3cdbb59e3ce75793b01aa501\",\"event_simpleName\":\"DeliverLocalFXToCloud\",\"ConfigStateHash\":\"1620585913\",\"aip\":\"67.43.156.14\",\"ModelPrediction\":\"1436899696705536\",\"SHA256HashData\":\"c89caf538788e6524bf4ae93194051f3389eecbc71e4793f12a2dc0368211cc2\",\"Malicious\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"FeatureExtractionVersion\":\"2\",\"event_platform\":\"Mac\",\"FXFileSize\":\"502032\",\"Entitlements\":\"15\",\"name\":\"DeliverLocalFXToCloudMacV4\",\"PupAdwareDecisionValue\":\"12384657383358464\",\"id\":\"ffffffff-1111-11eb-b44e-069a02b0ad6b\",\"PupAdwareConfidence\":\"0\",\"EffectiveTransmissionClass\":\"1\",\"aid\":\"ffffffff45d647e6ae0ba8764a4bd570\",\"MLModelVersion\":\"4\",\"timestamp\":\"1625677489052\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -3647,7 +3821,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff45d647e6ae0ba8764a4bd570", "type": "agent", "vendor": "crowdstrike", @@ -3708,7 +3884,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -3718,7 +3896,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffb3a3442585c05abc61e290fc", "type": "agent", "vendor": "crowdstrike", @@ -3807,7 +3987,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -3817,7 +3999,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffffc4044541995bffd84b9df003", "type": "agent", "vendor": "crowdstrike", @@ -3872,7 +4056,9 @@ "original": "{\"event_simpleName\":\"GroupIdentity\",\"GID\":\"242\",\"AuthenticationUuidAsString\":\"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"67.43.156.13\",\"AuthenticationId\":\"1119489580471877843\",\"UserPrincipal\":\"user2@dom1\",\"UserSid\":\"S-1-5-21-3852557355-3178143607-2040168074-1485\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"GroupIdentityMacV2\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"AuthenticationUuid\":\"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2\",\"timestamp\":\"1625677478379\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -3882,7 +4068,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "type": "agent", "vendor": "crowdstrike", @@ -3961,7 +4149,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -3971,7 +4161,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "type": "agent", "vendor": "crowdstrike", @@ -4044,7 +4236,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -4054,7 +4248,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "type": "agent", "vendor": "crowdstrike", @@ -4240,7 +4436,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -4250,7 +4448,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff62714a708030d494ca0a7e60", "type": "agent", "vendor": "crowdstrike", @@ -4315,7 +4515,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -4325,7 +4527,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff28414c2293e35c360213e723", "type": "agent", "vendor": "crowdstrike", @@ -4517,7 +4721,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -4527,7 +4733,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "fffffffffbea48169985c2c2bae89d1d", "type": "agent", "vendor": "crowdstrike", @@ -4575,7 +4783,9 @@ "original": "{\"event_simpleName\":\"LightningLatencyInfo\",\"LightningLatencyState\":\"3\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"67.43.156.14\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"LightningLatencyInfoMacV1\",\"id\":\"ffffffff-1111-11eb-b44e-069a02b0ad6b\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffffd452449b8d1eb7d85b146650\",\"timestamp\":\"1625677453146\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -4585,7 +4795,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffd452449b8d1eb7d85b146650", "type": "agent", "vendor": "crowdstrike", @@ -4676,7 +4888,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -4686,7 +4900,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff8eb649cf8d82be1e65629a0e", "type": "agent", "vendor": "crowdstrike", @@ -4748,7 +4964,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -4758,7 +4976,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff2d984e32b702789b54f0f811", "type": "agent", "vendor": "crowdstrike", @@ -4853,7 +5073,9 @@ "name": "comp2" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -4863,7 +5085,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffbea440b9aad8b5bf222d303f", "type": "agent", "vendor": "crowdstrike", @@ -4926,7 +5150,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -4936,7 +5162,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff8eca418b7a861be9c5f7de1d", "type": "agent", "vendor": "crowdstrike", @@ -5008,7 +5236,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -5018,7 +5248,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffbea440b9aad8b5bf222d303f", "type": "agent", "vendor": "crowdstrike", @@ -5090,7 +5322,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -5100,7 +5334,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff4f4044b689d6420d303e4ecd", "type": "agent", "vendor": "crowdstrike", @@ -5158,7 +5394,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -5168,7 +5406,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff88b948c6abeeee910f6d8c33", "type": "agent", "vendor": "crowdstrike", @@ -5243,7 +5483,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -5253,7 +5495,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffe6244708bd09a6c111f63f4a", "type": "agent", "vendor": "crowdstrike", @@ -5326,7 +5570,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -5336,7 +5582,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff2977460db2898ece881a9358", "type": "agent", "vendor": "crowdstrike", @@ -5396,7 +5644,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -5406,7 +5656,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff5e8b4724aa10088c4f71cd9a", "type": "agent", "vendor": "crowdstrike", @@ -5482,7 +5734,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -5492,7 +5746,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "fffffffff1a64286a233d09974b1b377", "type": "agent", "vendor": "crowdstrike", @@ -5553,7 +5809,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -5563,7 +5821,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffdd094539a02b394c69a70aaf", "type": "agent", "vendor": "crowdstrike", @@ -5625,7 +5885,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -5635,7 +5897,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff70cf4070af024397f25007c7", "type": "agent", "vendor": "crowdstrike", @@ -5693,7 +5957,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -5703,7 +5969,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffed984e248973f3ada1eb543d", "type": "agent", "vendor": "crowdstrike", @@ -5769,7 +6037,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -5779,7 +6049,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff2a0d484da8f7a9cf8bde7164", "type": "agent", "vendor": "crowdstrike", @@ -5848,7 +6120,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -5858,7 +6132,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff28414c2293e35c360213e723", "type": "agent", "vendor": "crowdstrike", @@ -5935,7 +6211,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -5945,7 +6223,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff2d1245c0a32d5efcf9351272", "type": "agent", "vendor": "crowdstrike", @@ -6009,7 +6289,9 @@ "type": "dir" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -6019,7 +6301,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff761b4a7d9962dd9e7e776044", "type": "agent", "vendor": "crowdstrike", @@ -6092,7 +6376,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -6102,7 +6388,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff01c7450180352a7c58a28fb4", "type": "agent", "vendor": "crowdstrike", @@ -6166,7 +6454,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -6176,7 +6466,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffcebd42c0890d59b54279d3d3", "type": "agent", "vendor": "crowdstrike", @@ -6252,7 +6544,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -6262,7 +6556,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "fffffffff2c7432859ff6bbe1a0bd6af", "type": "agent", "vendor": "crowdstrike", @@ -6322,7 +6618,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -6332,7 +6630,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff0d7b4d839912e55b4755e85b", "type": "agent", "vendor": "crowdstrike", @@ -6402,7 +6702,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -6412,7 +6714,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff557f4b99a0afdea9ce8cd6fa", "type": "agent", "vendor": "crowdstrike", @@ -6491,7 +6795,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -6501,7 +6807,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff70d140ca9ba97f0dddd14137", "type": "agent", "vendor": "crowdstrike", @@ -6600,7 +6908,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -6610,7 +6920,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff75fc48f15cfe5f095e605c4c", "type": "agent", "vendor": "crowdstrike", @@ -6730,7 +7042,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -6740,7 +7054,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffb5db4b2e7ec89aba537adcc2", "type": "agent", "vendor": "crowdstrike", @@ -6827,7 +7143,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -6837,7 +7155,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff1aa0482a5ea94f64e08e7b15", "type": "agent", "vendor": "crowdstrike", @@ -6920,7 +7240,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -6930,7 +7252,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff3a5a424fa02450da53619745", "type": "agent", "vendor": "crowdstrike", @@ -7019,7 +7343,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -7029,7 +7355,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff4f1444bab96568879cb43556", "type": "agent", "vendor": "crowdstrike", @@ -7095,7 +7423,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -7105,7 +7435,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff32ba43a483e76c6f0a4aa26f", "type": "agent", "vendor": "crowdstrike", @@ -7182,7 +7514,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -7192,7 +7526,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff1aa0482a5ea94f64e08e7b15", "type": "agent", "vendor": "crowdstrike", @@ -7297,7 +7633,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -7307,7 +7645,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff8f1e4b77b4dae5debaa1c8bc", "type": "agent", "vendor": "crowdstrike", @@ -7391,7 +7731,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -7401,7 +7743,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffffd4094240a6b1d12aaf304f4f", "type": "agent", "vendor": "crowdstrike", @@ -7493,7 +7837,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -7503,7 +7849,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "fffffffff000426eb99afaa2ccdcbc17", "type": "agent", "vendor": "crowdstrike", @@ -7587,7 +7935,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -7597,7 +7947,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff8d2e4b4f9b21b40633a8d579", "type": "agent", "vendor": "crowdstrike", @@ -7692,7 +8044,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -7702,7 +8056,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff2c47454cba360bc404a607bb", "type": "agent", "vendor": "crowdstrike", @@ -7775,7 +8131,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -7785,7 +8143,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffffe0104823bd3de859d5bc8bc7", "type": "agent", "vendor": "crowdstrike", @@ -7870,7 +8230,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -7880,7 +8242,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff425942f58382dbb11350eeda", "type": "agent", "vendor": "crowdstrike", @@ -7952,7 +8316,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -7962,7 +8328,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffa51b4acf9dbc1fc273e6145c", "type": "agent", "vendor": "crowdstrike", @@ -8053,7 +8421,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -8063,7 +8433,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffffd8844a59acce5e1f4ad01888", "type": "agent", "vendor": "crowdstrike", @@ -8146,7 +8518,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -8156,7 +8530,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff4a0946365161093453e596d4", "type": "agent", "vendor": "crowdstrike", @@ -8230,7 +8606,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -8240,7 +8618,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffffcfe84e8c6a52c4001bd83761", "type": "agent", "vendor": "crowdstrike", @@ -8307,7 +8687,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -8317,7 +8699,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff80984ea8b49d9a53f590c566", "type": "agent", "vendor": "crowdstrike", @@ -8384,7 +8768,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -8394,7 +8780,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffffc94c645268f64fc900213f", "type": "agent", "vendor": "crowdstrike", @@ -8477,7 +8865,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -8487,7 +8877,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff280b41b956a91e816bd9b9b0", "type": "agent", "vendor": "crowdstrike", @@ -8565,7 +8957,9 @@ "type": "dir" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -8575,7 +8969,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff2c9f4066b0b5f2f00265503c", "type": "agent", "vendor": "crowdstrike", @@ -8643,7 +9039,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -8653,7 +9051,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "fffffffffcc4413057adc260e99b0774", "type": "agent", "vendor": "crowdstrike", @@ -8741,7 +9141,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -8751,7 +9153,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffed0f41575620ab9fb25ce105", "type": "agent", "vendor": "crowdstrike", @@ -8831,7 +9235,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -8841,7 +9247,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff73164cfa9656c4caff8a2a38", "type": "agent", "vendor": "crowdstrike", @@ -8941,7 +9349,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -8951,7 +9361,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffbe8a46386afe80c5ef64d0b5", "type": "agent", "vendor": "crowdstrike", @@ -9053,7 +9465,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -9063,7 +9477,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffac4148947ed68497e89f3308", "type": "agent", "vendor": "crowdstrike", @@ -9177,7 +9593,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -9187,7 +9605,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "fffffffffdab492a5a20cd0417395a73", "type": "agent", "vendor": "crowdstrike", @@ -9279,7 +9699,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -9289,7 +9711,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "fffffffffa474d216472f3edb73c75ed", "type": "agent", "vendor": "crowdstrike", @@ -9361,7 +9785,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -9371,7 +9797,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff1f924e228a807ea4c0f21b0b", "type": "agent", "vendor": "crowdstrike", @@ -9460,7 +9888,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -9470,7 +9900,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff1f32487185fcde66a9dc0528", "type": "agent", "vendor": "crowdstrike", @@ -9532,7 +9964,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -9542,7 +9976,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffffa5bd4efaa195a7132c576edc", "type": "agent", "vendor": "crowdstrike", @@ -9632,7 +10068,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -9642,8 +10080,10 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", - "serial_number": "ffffffff6854438eb4181691ec47e43d", + "ip": [ + "67.43.156.14" + ], + "serial_number": "ffffffff6854438eb4181691ec47e43d", "type": "agent", "vendor": "crowdstrike", "version": "1007.3.0011603.1" @@ -9726,7 +10166,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -9736,7 +10178,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffc07b49d6b7426e970523671a", "type": "agent", "vendor": "crowdstrike", @@ -9808,7 +10252,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -9818,7 +10264,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffa60a47af4ebd2a76070f0d4f", "type": "agent", "vendor": "crowdstrike", @@ -9886,7 +10334,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -9896,7 +10346,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff6d724d38af99c628fb904626", "type": "agent", "vendor": "crowdstrike", @@ -9970,7 +10422,9 @@ "device": "PCI\\VEN_8086\u0026DEV_31E3\u0026SUBSYS_080C1028\u0026REV_03\\3\u002611583659\u00260\u002690" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -9980,7 +10434,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff1990483499a736373600eef7", "type": "agent", "vendor": "crowdstrike", @@ -10048,7 +10504,9 @@ "transport": "tcp" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -10058,7 +10516,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffe5ff467b4f0c4fd41a4462bb", "type": "agent", "vendor": "crowdstrike", @@ -10133,7 +10593,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -10143,7 +10605,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff59514ea68b4693ddfb9b6643", "type": "agent", "vendor": "crowdstrike", @@ -10210,7 +10674,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -10220,7 +10686,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff2b5a4bf5afc6682595faa016", "type": "agent", "vendor": "crowdstrike", @@ -10298,7 +10766,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -10308,7 +10778,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff32cb4abc50bc133b31a69946", "type": "agent", "vendor": "crowdstrike", @@ -10386,7 +10858,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -10396,7 +10870,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff655344736aca58d17fb570f0", "type": "agent", "vendor": "crowdstrike", @@ -10481,7 +10957,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -10491,7 +10969,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff1f32487185fcde66a9dc0528", "type": "agent", "vendor": "crowdstrike", @@ -10560,7 +11040,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -10570,7 +11052,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffcdb543135e7fcdf8e5a8fbdb", "type": "agent", "vendor": "crowdstrike", @@ -10636,7 +11120,9 @@ "type": "file" }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -10646,7 +11132,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff16bf4c7bb5ad755a4722025c", "type": "agent", "vendor": "crowdstrike", @@ -10713,7 +11201,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -10723,7 +11213,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff896b43725b83c79aa79959da", "type": "agent", "vendor": "crowdstrike", @@ -10783,7 +11275,9 @@ ] }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -10793,7 +11287,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffff899541b94b9adff8922aa70a", "type": "agent", "vendor": "crowdstrike", @@ -10860,7 +11356,9 @@ "name": "mac1" }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -10870,7 +11368,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "fffffffffffaaaaaaaaabbbbbbbb", "type": "agent", "vendor": "crowdstrike", @@ -10935,7 +11435,9 @@ ] }, "observer": { - "address": "67.43.156.13", + "address": [ + "67.43.156.13" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -10945,7 +11447,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.13", + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffffe0104823bd3de859d5bc8bc7", "type": "agent", "vendor": "crowdstrike", @@ -11031,7 +11535,9 @@ ] }, "observer": { - "address": "89.160.20.120", + "address": [ + "89.160.20.120" + ], "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -11044,7 +11550,9 @@ "region_iso_code": "SE-E", "region_name": "Östergötland County" }, - "ip": "89.160.20.120", + "ip": [ + "89.160.20.120" + ], "serial_number": "50deaa55144543089a1f463b568cdc53", "type": "agent", "vendor": "crowdstrike", @@ -11128,7 +11636,122 @@ ] }, "observer": { + "address": [ + "67.43.156.13" + ], + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": [ + "67.43.156.13" + ], + "serial_number": "ffffffff896b43725b83c79aa79959da", + "type": "agent", + "vendor": "crowdstrike", + "version": "1007.3.0011603.1" + }, + "os": { + "type": "windows" + }, + "process": { + "entity_id": "1717987648455", + "thread": { + "id": 55064470042288 + } + }, + "related": { + "hash": [ + "666346415" + ], + "hosts": [ + "67.43.156.13" + ], + "ip": [ + "67.43.156.13" + ] + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "scheme": "http" + } + }, + { + "@timestamp": "2023-03-16T01:57:00.343Z", + "crowdstrike": { + "CurrentLocalIP": "67.43.156.13", + "FirstDiscoveredDate": "2022-11-28T08:47:57.827Z", + "LastDiscoveredBy": "c1b74438660b44cfa93e24c9d44badab", + "MACPrefix": "AA-AA-AA", + "NeighborName": "!!!!UNKNOWN!!!!", + "__mv_aip": "$67.43.156.14$;$67.43.156.13$", + "__mv_discoverer_aid": "$4b8f58d3f5f040b3804d3820ca2aed67$;$c1b74438660b44cfa93e24c9d44badab$", + "aipCount": 3, + "cid": "500c5073b4d7443688f4b32c5eeb295b", + "discovererCount": 2, + "discoverer_aid": "4b8f58d3f5f040b3804d3820ca2aed67 c1b74438660b44cfa93e24c9d44badab", + "localipCount": 1, + "subnet": "10.0" + }, + "ecs": { + "version": "8.6.0" + }, + "event": { + "created": "2023-03-16T01:57:00.343Z", + "original": "{\"ComputerName\":\"HQ-sadhkbasHS\",\"CurrentLocalIP\":\"67.43.156.13\",\"FirstDiscoveredDate\":\"1669625277.827\",\"LastDiscoveredBy\":\"c1b74438660b44cfa93e24c9d44badab\",\"LocalAddressIP4\":\"67.43.156.13\",\"MAC\":\"AA-AA-AA-AA-AA-AA\",\"MACPrefix\":\"AA-AA-AA\",\"NeighborName\":\"!!!!UNKNOWN!!!!\",\"__mv_LocalAddressIP4\":\"\",\"__mv_aip\":\"$67.43.156.14$;$67.43.156.13$\",\"__mv_discoverer_aid\":\"$4b8f58d3f5f040b3804d3820ca2aed67$;$c1b74438660b44cfa93e24c9d44badab$\",\"__mv_discoverer_devicetype\":\"\",\"_time\":\"1678931820.343\",\"aip\":\"67.43.156.13 67.43.156.14 81.2.69.192\",\"aipCount\":\"3\",\"cid\":\"500c5073b4d7443688f4b32c5eeb295b\",\"discovererCount\":\"2\",\"discoverer_aid\":\"4b8f58d3f5f040b3804d3820ca2aed67 c1b74438660b44cfa93e24c9d44badab\",\"discoverer_devicetype\":\"\",\"localipCount\":\"1\",\"subnet\":\"10.0\"}" + }, + "host": { + "hostname": "HQ-sadhkbasHS", + "name": "HQ-sadhkbasHS" + }, + "observer": { + "address": [ + "67.43.156.13", + "67.43.156.14", + "81.2.69.192" + ], + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": [ + "67.43.156.13", + "67.43.156.14", + "81.2.69.192" + ], + "type": "agent", + "vendor": "crowdstrike" + }, + "related": { + "hosts": [ + "67.43.156.13", + "67.43.156.14", + "81.2.69.192", + "HQ-sadhkbasHS" + ], + "ip": [ + "67.43.156.13", + "67.43.156.14", + "81.2.69.192" + ] + }, + "source": { "address": "67.43.156.13", + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -11139,6 +11762,60 @@ } }, "ip": "67.43.156.13", + "mac": "AA-AA-AA-AA-AA-AA" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "scheme": "http" + } + }, + { + "@timestamp": "2020-11-08T15:54:59.812Z", + "crowdstrike": { + "ConfigStateHash": "666346415", + "EffectiveTransmissionClass": "3", + "EndTime": "2022-12-03T18:42:00.000Z", + "Entitlements": "15", + "StartTime": "2022-12-03T18:42:00.000Z", + "VolumeName": "\\Device\\HarddiskVolume27", + "cid": "ffffffff30a3407dae27d0503611022d", + "name": "FsVolumeUnmountedV2" + }, + "ecs": { + "version": "8.6.0" + }, + "event": { + "action": "FsVolumeUnmounted", + "category": [ + "host" + ], + "created": "2020-11-08T15:54:59.812Z", + "id": "ffffffff-1111-11eb-9f70-0634389d9ea9", + "kind": "event", + "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"666346415\",\"ContextProcessId\":\"1717987648455\",\"ContextThreadId\":\"55064470042288\",\"ContextTimeStamp\":\"\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"VolumeName\":\"\\\\Device\\\\HarddiskVolume27\",\"aid\":\"ffffffff896b43725b83c79aa79959da\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"FsVolumeUnmounted\",\"id\":\"ffffffff-1111-11eb-9f70-0634389d9ea9\",\"name\":\"FsVolumeUnmountedV2\",\"timestamp\":\"1604850899812\",\"StartTime\":133145665200000000,\"EndTime\":133145665200000000}", + "outcome": "success", + "type": [ + "change" + ] + }, + "observer": { + "address": [ + "67.43.156.13" + ], + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": [ + "67.43.156.13" + ], "serial_number": "ffffffff896b43725b83c79aa79959da", "type": "agent", "vendor": "crowdstrike", diff --git a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml index d3524ebd2f4..cf6a933c7b0 100644 --- a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml @@ -51,6 +51,16 @@ processors: - UNIX ignore_failure: true if: ctx.event?.created == null + - date: + tag: date-_time + description: Parse _time from event. + field: crowdstrike._time + target_field: event.created + formats: + - ISO8601 + - UNIX + ignore_failure: true + if: ctx.event?.created == null - set: tag: set-timestamp field: "@timestamp" @@ -63,12 +73,10 @@ processors: if: ctx["@timestamp"] == null - script: tag: date-context-timestamp-from-nt + if: (ctx.crowdstrike?.ContextTimeStamp != null && ctx.crowdstrike?.ContextTimeStamp != "") description: Conditionally convert ContextTimestamp from Windows NT timestamp format to UNIX. lang: painless source: |- - if (ctx.crowdstrike?.ContextTimeStamp == null) { - return; - } long timestamp; if (ctx.crowdstrike.ContextTimeStamp instanceof long) { timestamp = (long)ctx.crowdstrike.ContextTimeStamp; @@ -82,7 +90,7 @@ processors: } - date: tag: date-context-timestamp - if: ctx.crowdstrike?.ContextTimeStamp != null + if: (ctx.crowdstrike?.ContextTimeStamp != null && ctx.crowdstrike?.ContextTimeStamp != "") field: crowdstrike.ContextTimeStamp formats: - UNIX @@ -147,6 +155,30 @@ processors: target_field: message ignore_missing: true +# Handle additional added fields. + - convert: + field: crowdstrike.CurrentLocalIP + type: ip + if: (ctx.crowdstrike?.CurrentLocalIP != null && ctx.crowdstrike?.CurrentLocalIP != "") + - date: + field: crowdstrike.FirstDiscoveredDate + target_field: crowdstrike.FirstDiscoveredDate + formats: + - UNIX + if: ctx.crowdstrike?.FirstDiscoveredDate != null && ctx.crowdstrike?.FirstDiscoveredDate != "" + - convert: + field: crowdstrike.aipCount + type: integer + if: (ctx.crowdstrike?.aipCount != null && ctx.crowdstrike?.aipCount != "") + - convert: + field: crowdstrike.discovererCount + type: integer + if: (ctx.crowdstrike?.discovererCount != null && ctx.crowdstrike?.discovererCount != "") + - convert: + field: crowdstrike.localipCount + type: integer + if: (ctx.crowdstrike?.localipCount != null && ctx.crowdstrike?.localipCount != "") + ## ECS fields. - set: field: ecs.version @@ -1378,6 +1410,10 @@ processors: target_field: observer.serial_number ignore_missing: true ignore_failure: true + - split: + field: crowdstrike.aip + separator: "\\s+" + ignore_missing: true - convert: field: crowdstrike.aip type: ip @@ -1407,17 +1443,23 @@ processors: - set: field: observer.type value: agent - - append: - field: related.ip - value: "{{{observer.ip}}}" - allow_duplicates: false - if: ctx.observer?.ip != null && ctx.observer.ip != "" - - append: - field: related.hosts - value: "{{{observer.ip}}}" - allow_duplicates: false - if: ctx.observer?.ip != null && ctx.observer.ip != "" - + - foreach: + if: ctx.observer?.ip != null && ctx.observer.ip instanceof List + field: observer.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + if: ctx.observer?.ip != null && ctx.observer.ip instanceof List + field: observer.ip + processor: + append: + field: related.hosts + value: '{{{_ingest._value}}}' + allow_duplicates: false + ## Host fields. - rename: field: crowdstrike.ComputerName @@ -1886,6 +1928,11 @@ processors: allow_duplicates: false if: ctx.destination?.ip != null && ctx.destination.ip != "" - rename: + field: crowdstrike.MAC + target_field: source.mac + ignore_missing: true + - rename: + if: ctx.source?.mac == null field: crowdstrike.PhysicalAddress target_field: source.mac ignore_missing: true diff --git a/packages/crowdstrike/data_stream/fdr/fields/fields.yml b/packages/crowdstrike/data_stream/fdr/fields/fields.yml index 64697cefa3e..13f9f9f731d 100644 --- a/packages/crowdstrike/data_stream/fdr/fields/fields.yml +++ b/packages/crowdstrike/data_stream/fdr/fields/fields.yml @@ -3,6 +3,10 @@ - name: crowdstrike type: group fields: + - name: __mv_aip + type: keyword + - name: __mv_discoverer_aid + type: keyword - name: AgentTimeOffset type: float - name: AllocateVirtualMemoryCount @@ -49,6 +53,8 @@ type: long - name: CreateProcessType type: keyword + - name: CurrentLocalIP + type: ip - name: CycleTime type: long - name: DesiredAccess @@ -91,6 +97,8 @@ type: keyword - name: FileObject type: keyword + - name: FirstDiscoveredDate + type: date - name: FirstSeen type: date - name: Flags @@ -129,6 +137,8 @@ type: keyword - name: KernelTime type: long + - name: LastDiscoveredBy + type: keyword - name: LogoffTime type: date - name: LogonDomain @@ -141,6 +151,8 @@ type: date - name: LogonType type: keyword + - name: MACPrefix + type: keyword - name: MachOSubType type: keyword - name: MajorFunction @@ -153,6 +165,8 @@ type: long - name: NDRoot type: keyword + - name: NeighborName + type: keyword - name: NetworkBindCount type: long - name: NetworkCapableAsepWriteCount @@ -183,6 +197,8 @@ type: keyword - name: PasswordLastSet type: keyword + - name: PhysicalAddress + type: keyword - name: PhysicalAddressLength type: long - name: PointerSize @@ -597,3 +613,13 @@ type: keyword - name: WindowFlags type: keyword + - name: aipCount + type: integer + - name: discovererCount + type: integer + - name: discoverer_aid + type: keyword + - name: localipCount + type: integer + - name: subnet + type: keyword diff --git a/packages/crowdstrike/data_stream/fdr/sample_event.json b/packages/crowdstrike/data_stream/fdr/sample_event.json index 7d10739095d..a2e60cd5cc4 100644 --- a/packages/crowdstrike/data_stream/fdr/sample_event.json +++ b/packages/crowdstrike/data_stream/fdr/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2020-11-08T09:58:32.519Z", "agent": { - "ephemeral_id": "88645c33-21f7-47a1-a1e6-b4a53f32ec43", - "id": "94011a8e-8b26-4bce-a627-d54316798b52", + "ephemeral_id": "dcf3f5b1-c902-4016-ada2-80eba72611e1", + "id": "1255e325-ccf6-47ee-8e56-25027fa532e2", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.6.0" @@ -34,8 +34,8 @@ "version": "8.6.0" }, "elastic_agent": { - "id": "94011a8e-8b26-4bce-a627-d54316798b52", - "snapshot": true, + "id": "1255e325-ccf6-47ee-8e56-25027fa532e2", + "snapshot": false, "version": "8.6.0" }, "event": { @@ -47,7 +47,7 @@ "created": "2020-11-08T17:07:22.091Z", "dataset": "crowdstrike.fdr", "id": "ffffffff-1111-11eb-9756-06fe7f8f682f", - "ingested": "2023-01-13T12:18:46Z", + "ingested": "2023-03-23T10:48:10Z", "kind": "alert", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", "outcome": "success", @@ -74,7 +74,9 @@ "offset": 95203 }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -84,7 +86,9 @@ "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffac4148947ed68497e89f3308", "type": "agent", "vendor": "crowdstrike", diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md index 18afd32f1f9..a01c3c12ad1 100644 --- a/packages/crowdstrike/docs/README.md +++ b/packages/crowdstrike/docs/README.md @@ -519,6 +519,7 @@ and/or `session_token`. | crowdstrike.CreateProcessCount | | long | | crowdstrike.CreateProcessType | | keyword | | crowdstrike.CurrentFunctionalityLevel | | keyword | +| crowdstrike.CurrentLocalIP | | ip | | crowdstrike.CycleTime | | long | | crowdstrike.DesiredAccess | | keyword | | crowdstrike.DeviceId | | keyword | @@ -553,6 +554,7 @@ and/or `session_token`. | crowdstrike.FileObject | | keyword | | crowdstrike.FirmwareAnalysisEclConsumerInterfaceVersion | | keyword | | crowdstrike.FirmwareAnalysisEclControlInterfaceVersion | | keyword | +| crowdstrike.FirstDiscoveredDate | | date | | crowdstrike.FirstSeen | | date | | crowdstrike.Flags | | keyword | | crowdstrike.GenericFileWrittenCount | | long | @@ -583,6 +585,7 @@ and/or `session_token`. | crowdstrike.IsOnRemovableDisk | | keyword | | crowdstrike.IsTransactedFile | | keyword | | crowdstrike.KernelTime | | long | +| crowdstrike.LastDiscoveredBy | | keyword | | crowdstrike.LfoUploadFlags | | keyword | | crowdstrike.LightningLatencyState | | keyword | | crowdstrike.Line | | keyword | @@ -594,6 +597,7 @@ and/or `session_token`. | crowdstrike.LogonServer | | keyword | | crowdstrike.LogonTime | | date | | crowdstrike.LogonType | | keyword | +| crowdstrike.MACPrefix | | keyword | | crowdstrike.MLModelVersion | | keyword | | crowdstrike.MachOSubType | | keyword | | crowdstrike.MajorFunction | | keyword | @@ -610,6 +614,7 @@ and/or `session_token`. | crowdstrike.ModuleLoadCount | | long | | crowdstrike.NDRoot | | keyword | | crowdstrike.NeighborList | | keyword | +| crowdstrike.NeighborName | | keyword | | crowdstrike.NetLuidIndex | | long | | crowdstrike.NetworkBindCount | | long | | crowdstrike.NetworkCapableAsepWriteCount | | long | @@ -637,6 +642,7 @@ and/or `session_token`. | crowdstrike.ParentAuthenticationId | | keyword | | crowdstrike.PasswordLastSet | | keyword | | crowdstrike.PciAttachmentState | | keyword | +| crowdstrike.PhysicalAddress | | keyword | | crowdstrike.PhysicalAddressLength | | long | | crowdstrike.PhysicalCoreCount | | long | | crowdstrike.PointerSize | | keyword | @@ -761,8 +767,15 @@ and/or `session_token`. | crowdstrike.VolumeType | | keyword | | crowdstrike.VolumeUUID | | keyword | | crowdstrike.WindowFlags | | keyword | +| crowdstrike.__mv_aip | | keyword | +| crowdstrike.__mv_discoverer_aid | | keyword | +| crowdstrike.aipCount | | integer | | crowdstrike.cid | | keyword | +| crowdstrike.discovererCount | | integer | +| crowdstrike.discoverer_aid | | keyword | +| crowdstrike.localipCount | | integer | | crowdstrike.name | | keyword | +| crowdstrike.subnet | | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | @@ -907,8 +920,8 @@ An example event for `fdr` looks as following: { "@timestamp": "2020-11-08T09:58:32.519Z", "agent": { - "ephemeral_id": "88645c33-21f7-47a1-a1e6-b4a53f32ec43", - "id": "94011a8e-8b26-4bce-a627-d54316798b52", + "ephemeral_id": "dcf3f5b1-c902-4016-ada2-80eba72611e1", + "id": "1255e325-ccf6-47ee-8e56-25027fa532e2", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.6.0" @@ -940,8 +953,8 @@ An example event for `fdr` looks as following: "version": "8.6.0" }, "elastic_agent": { - "id": "94011a8e-8b26-4bce-a627-d54316798b52", - "snapshot": true, + "id": "1255e325-ccf6-47ee-8e56-25027fa532e2", + "snapshot": false, "version": "8.6.0" }, "event": { @@ -953,7 +966,7 @@ An example event for `fdr` looks as following: "created": "2020-11-08T17:07:22.091Z", "dataset": "crowdstrike.fdr", "id": "ffffffff-1111-11eb-9756-06fe7f8f682f", - "ingested": "2023-01-13T12:18:46Z", + "ingested": "2023-03-23T10:48:10Z", "kind": "alert", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", "outcome": "success", @@ -980,7 +993,9 @@ An example event for `fdr` looks as following: "offset": 95203 }, "observer": { - "address": "67.43.156.14", + "address": [ + "67.43.156.14" + ], "geo": { "continent_name": "Asia", "country_iso_code": "BT", @@ -990,7 +1005,9 @@ An example event for `fdr` looks as following: "lon": 90.5 } }, - "ip": "67.43.156.14", + "ip": [ + "67.43.156.14" + ], "serial_number": "ffffffffac4148947ed68497e89f3308", "type": "agent", "vendor": "crowdstrike", diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index 75b900ac013..f7b5049b1d5 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike -version: "1.11.0" +version: "1.11.1" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: 1.0.0